Buyer Beware: Android Malware Still Lurks in Google Play Store

Google Play

You shell out hundreds of dollars for the latest Android smartphone and immediately start downloading new apps from the Google Play Store. Are you considering security?

You should be. While some people have dismissed the notion of security solutions for mobile devices as simply a means for software developers to earn more money, the threat of malware on mobile devices — especially those operating on the Android platform — is real.

Need proof? A recent survey of apps sold in the Google Play Store, the largest provider of Android applications, showed more than 70,000 contained malware capable of stealing information or installing adware. Another 150,000 apps were questionable, meaning they potentially contained adware, spyware or malware.

These were not random apps that you can download from any website or that come through a text message or email. These are apps offered in a legitimate store and downloaded by customers who trust that the apps have been vetted and approved.
So how does this happen, and how can you avoid becoming a victim?

Open Market, Open Danger

The Android app market is an open one, meaning almost anyone can develop an application and offer it for download in the Google Play Store. As a result, malware developers can create malicious apps, often disguised as versions of popular or desirable apps. They then add them to the store without anyone being wiser.

Google is taking steps to curb the problem by implementing tools such as Bouncer, which scans apps and removes those containing malware, but the program does have limitations. For that reason, it’s your responsibility to protect your devices against malware.

Avoiding Application Malware

While the Google Play Store is working to ensure available apps do not contain malware by removing suspicious apps and developing approval protocols, it’s up to you as the consumer to protect your device.

First, install a mobile security solution that relies on Threat Intelligence to track and identify potential problems, and block them from your phone. Even if you do inadvertently download a problematic application, mobile security software will block and remove the offending malware, thus protecting your device and information.

When you’re choosing applications to add to your device, look for a few clues as to the app’slegitimacy. Most malware-carrying applications share certain characteristics. Knowing how to identify problems can prevent problems before they start.
Look for developer contact information: Legitimate developers don’t hide from customers. When you look at the app’s description in the Play Store, confirm there is a website and email listed. A lack of contact information is a red flag.
Read reviews: When an app does not work the way it should or causes problems, users are fairly vocal about it. You can often find out more information from the reviews than from the product description — especially when the app causes unwanted notifications and pop-ups or other problems. Because apps containing malware generally overload your device with unrelated notifications or don’t work properly, seeing a number of complaints on those topics should give you second thoughts about the app.
Check the app’s permissions: When you download an app, before it installs you are given the chance to review the permissions requested by the app. Look at them carefully. Legitimate apps only request permissions that it needs, while malware asks for permissions that are unnecessary — or requests access to the whole device.
Check updates and downloads: When did the app first appear in the store — and when was it last updated? Not all new apps are malware. A lack of updates doesn’t necessarily mean the app is harmful, but in general, apps with multiple or recent updates with many downloads are more stable and legitimate than new apps with only a few downloads or apps that have languished for months or years without any updates.

If you’re still concerned about a particular application, do an online search before downloading to find out more information. If the news is not good — or you still have doubts — find another app that’s more secure instead. With millions of applications in the store, there’s a good chance you’ll find another app that does exactly what you want it to do — without wreaking havoc and stealing your information.

About the Author: Rik Ferguson, Global VP Security Research at Trend Micro, writes the Countermeasures blog, regular columns for CIO, ZDNet, T3 and several other European publications. Rik also researches the wider implications of new developments in the Information Technology arena and their impact on security both for consumers and in the enterprise.