Google: Efforts Against Bad Android Apps on Play Store Are Working

The tech giant acknowledged some achievements in efforts to bolster mobile app security but recognized more needs to be done.

Some of the efforts Google has made over the past few years to bolster the security of Android app users as well as the mobile apps available on its Google Play store are starting to work, according to the tech giant.

The company, which historically has struggled mightily to keep bad apps and malware off its online store for Android apps, outlined some achievements regarding initiatives it’s taken over the previous several years to protect users.

“Over the last few years we’ve made the trust and safety of Google Play a top priority, and have continued our investments and improvements in our abuse detection systems, policies, and teams to fight against bad apps and malicious actors,” Andrew Ahn, Product Manager, Google Play and Android App Safety, wrote in a blog post this week.
In what’s possibly the most important achievement, improved vetting mechanisms to keep bad apps off the store appear to be having some effect, he said. More than 790,000 apps that violate Google’s policies for app submission were stopped last year before they were ever published, Ahn wrote in the post.

This effort is probably the most important for Google, as bad apps and malware has persisted on the Android app store since its inception.

As recently as last month, Google said it removed 17,000 Android apps to date from the Play store that have been conduits for the Joker malware (a.k.a. Bread), noting that its operators have used “just about every cloaking and obfuscation technique under the sun in an attempt to go undetected,” the company said at the time.

And last November researchers at security vendor Check Point still found that hundreds of marquee Android mobile apps contain vulnerabilities that allow remote code-execution, even if users update their apps and think they’re protected.

As another weapon in its fight against bad Android apps, Google that same month unveiled an alliance with outside firms to help stop malicious apps before they get to Google Play. However, Ahn did not report progress on that front in his post.

He did outline some other achievements in Google Play security. A policy in 2018 to stop apps from unnecessarily accessing privacy-sensitive SMS and Call Log data has seen a 98 percent decrease in apps accessing this data, he said. The decline is a result of developers partnering with us to update their apps and protect users, Ahn wrote, noting also that the remaining 2 percent of apps require this data to perform their core function.

A similar policy to give parents the option to control what kids can access on the store launched last May also has seen some traction, the company said. After the service went live, Google worked with developers to remove thousands of apps from the store to improve its safety.

Despite these milestones, Google is aware that security on Google Play remains an uphill battle. Ahn acknowledged in his post that there still is much work to do to improve the security of mobile apps on Google Play, something the company will continue to work on.

“Adversarial bad actors will continue to devise new ways to evade our detection systems and put users in harm’s way for their own gains,” he wrote. “Our commitment in building the world’s safest and most helpful app platform will continue in 2020.”

Looking ahead, key areas of Google Play security Google plans to continue to focus on include: Strengthening app safety policies to protect user privacy; faster detection of bad actors and blocking repeat offenders; and detecting and removing apps with harmful content and behaviors, Ahn said.

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.

Suggested articles