Google Play Malicious Apps Racked Up 335M+ Installs in September

google play bug bounty

A total of 172 malicious apps were detected on Google Play in September, with more than 330 million installations.

Despite Google’s stepped up efforts to ban malicious apps hosted on Google Play 172 harmful apps – installed 335 million times by users – have been discovered on the platform in September alone.

ESET researcher Lukas Stefanko said on Tuesday that the majority of those 172 malicious apps were harboring adware. He said 48 adware-laced apps represent up to 300 million installs on Google Play.

“Unwanted ads or adware is popular category because after install it doesn’t request any further inputs, like banking trojans, and can simply generate revenue for developers right from the beginning,” Stefanko told Threatpost. “Also, it isn’t as difficult to create adware as it is to create Android ransomware or banking Trojans.”

The malicious adware component of the apps were hidden inside functional apps. Once downloaded, the rogue apps installed malware that begins displaying advertisements, which are shown even when the app is closed, according to researchers.

In a separate incident, earlier in September, Google removed 46 apps from the marketplace belonging to Chinese mobile developer iHandy, according to reports. Google told Buzzfeed News that the apps were removed due to “deceptive or disruptive ads.”

google play malicious apps

Also earlier in September, researchers also discovered apps, masquerading as a photo utility app and a fashion app, that had been installed 2.1 million times and harbored adware.

Another type of top-installed malicious app on Google Play include ones hitting victims with “subscription scams.” In fact, last week Sophos researchers discovered 15 subscription scam apps with more than 20 million downloads. Subscription scams are when a user downloads and uses an app for no charge for a short period trial – but once that trial expires the app developer charges the user fees without their explicit permission.

“Subscription scams rely on the [fact] that users might forget to unsubscribe after 3-day free trial period and then gets automatic payment for the service,” Stefanko explained to Threatpost. “Google also refunds users only within 3 days period from the start of subscription or payment,” according to researchers.

Recent Examples of Malicious Apps on Google Play

In separate studies conducted in September, researchers have found that malicious or unwanted apps have also been found on Google’s Play Store. A study by Quick Heal Security Labs, for example, reported last week it found a cache of hidden ad apps lurking on Google Play. Hidden ad apps, according to Quick Heal, are those that show full screen ads on device screen. These were found on 57 apps, representing more than 14 million downloads. Another type of malicious apps are SMS premium subscription apps. These were found on 24 apps representing 472,000 installs. With these apps, victims sign-up unknowing for expensive premium services.  as well as apps bundling banking trojans and stalkerware.

Earlier in September, a new spyware called “the Joker” stole headlines for making the rounds in Android apps on Google Play, infecting victims post-download to steal their SMS messages, contact lists and device information.

The hundreds of malicious apps on the Android app marketplace come despite efforts by Google to bolster app security and privacy for Google Play.

In February, Andrew Ahn, product manager at Google Play, said that the number of app submissions that were rejected on the app marketplace increased by more than 55 percent in 2018.  The number of app suspensions on Google Play also jutted up by 66 percent in 2018, he said. Google has also sought to further sniff out malicious apps on its Google Play with the launch of new bug bounty incentives. Past initiatives include Google Play Protect, which among other things includes the ability to manually scan previously downloaded apps in order to check if they are still safe.

Google has also pointed out in the past that given the enormity of the Android device footprint and app ecosystem its policing efforts are good. Last year Google said there were more than two billion active Android devices in use and that Play Protect scanned and verified up to 50 billion apps per day. In a report published last year, Google said it removed 700,000 rogue apps in 2017 and that 99 percent of apps with abusive contents are identified and rejected before anyone can install them.

But despite these efforts, malicious apps continue to pop up on Google Play – in fact, the number of harmful apps detected in September is actually lower than those detected in August (204 malicious apps) and July (205 malicious apps), Stefanko told Threatpost.

To avoid malicious apps on Google Play, users can double check the app reviews on Google Play for any negative feedback, he said.

“Before installing app, take 30 seconds to read comments – focus on negative ones,” Stefanko told Threatpost. “Subscription scams request 3-day free trial before demonstrating its functionality which should be red flag – many times there are alternative free apps with the same functionality.”

Google did not respond to a request for comment from Threatpost regarding any future initiatives around banning malicious apps on Google Play.

What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles