Google Play faces cat and mouse game with sneaky Android malware
Hackers constantly try to slip malware into the Google Play store, and they succeed.
By Michael Kan
What’s the best way to avoid Android malware? Downloading all your apps from the Google Play store — where software is vetted – is perhaps the best advice.
But that doesn’t mean Google Play is perfect.
Security researchers do find new Android malware lurking on Google’s official app store. That’s because hackers are coming up with sneaky ways to infiltrate the platform, despite the vetting processes that protect it.
“Eventually, every wall can be breached,” said Daniel Padon, a researcher at mobile security provider Check Point.
To be sure, most Android users will probably never encounter malware on the Google Play store. Last year, the amount of malicious software that reached the platform amounted to only 0.16 percent of all apps, according to a new report from Google.
That’s contributed to relatively tiny malware infection rates across the 1.4 billion Android devices in use today.
But when a bad app does slip in to the Play store, it can spread. Check Point has been among the security firms on the watch for new android malware.
Earlier this year, it uncovered over 20 apps on the Google Play store that contained malicious coding designed to generate fraudulent ad revenue for its creators. The infected software was downloaded several million times.
Months before, Check Point found another malware strain that was embedded in dozens of different apps on the store. The malware was designed to enslave devices in a botnet and appeared to infect between 500,000 and 2 million devices.
So how does the malware get in? Every app that goes through Google Play is first scanned for any harmful behavior, which includes checking the coding and running it in a virtual environment.
But even so, malicious processes can be tricky to detect, Padon said. For instance, hackers will incorporate a “dropper” into a seemingly benign app. The dropper will act as a time-bomb, staying silent but downloading additional malware at a later time.
In other cases, hackers have been found hiding malicious coding by using encryption, surrounding it with meaningless commands, or designing the harmful processes to remain inactive when run on a virtual machine.
Padon said the internet giant could be doing more to vet apps. The problem, he claims, is that Google relies too much on automated testing to root out the problem.
“It might be the strongest behavioral analysis engine on the planet,” Padon said. But testing each app on a real, human-operated device is still the best way to detect malware, he said.
Google didn’t comment on this story. However, it’s latest Android security report, published this week, does say: “no review process is perfect.”
Each month, the Play store will add 40,000 or more apps, according to AppBrain. Managing that business while keeping the software malware-free is no easy task. Automated testing is the best bet to scan all those apps in a time-efficient way.
Nevertheless, the security of Android has often been compared to Apple’s iOS, and the result hasn’t always been favorable. Unlike iOS, which is under the control of Apple, the Android operating system is fragmented across numerous handset vendors, some of which struggle to keep the software securely patched.
That’s made Android, and the Google Play store, worthwhile targets for hackers.
“Since most users expect the apps in Google Play to be clean, they’re left vulnerable, making it easy for the malware to infect a massive number of users at once,” said Rowland Yu, a researcher with security firm Sophos.
In the past two years, there have been more than two dozen malware strains found slipping into the Google Play store, according to his research. To try and popularize the malware, hackers will make them look like games, utility apps like energy savers, or drum up fake reviews for them.
Fortunately, when Google detects any malware, it will quickly pull the apps from the store, and sometimes ban the developers involved, Yu said. But he doesn’t see an end to this cat and mouse game. Like Padon, Yu points to machine testing.
“Google heavily relies on machines to test and review the safety and security of apps,” he said. “Only a small number of suspicious apps are actually handed over for human review.”
However, even as malware occasionally slips by, Google is making progress at detecting it faster once it’s downloaded, in part with a feature in Android devices called “Verify Apps.” It will scan the software over a phone to make sure the apps are behaving safely. If they aren’t, the security feature can have the offending apps removed.
“Verify Apps conducted 750 million daily checks in 2016,” Google’s security researchers said in a blog post. This helped the company reduce malicious app installation last year.
Andrew Blaich, a security researcher at mobile security firm Lookout, said the malware situation on Google Play isn’t the pandemic that can be found on some third-party Android app stores, which often do less vetting.
“The safest assurance you have to minimize your chance of malware on your Android device is to use the official Google Play store,” he said.
Security researchers also advise users to always look at the user reviews for an app. Bad reviews can be a sign that the app is malicious in some way.