Note: This is a follow-up article of our story regarding Google Play Store that was published earlier. The Data61 team from the University of Sydney and Commonwealth Scientific and Industrial Research Organization (CSIRO) has revealed that Google Play is riddled with malicious cloned apps of the top 10,000 apps. According to Data61 team, they were able to detect 2040 trojanized apps out of 49,608 “clone” apps they analyzed. Clone apps are applications that provide similar functionality and practical usage to the top 10,000 apps in the store.
1,565 fake apps that are asking for unnecessary permission from the user once installed are also detected by the team. A separate 1,407 apps genuine-looking apps were also discovered, but they carry excessive advertisement to the detriment of the performance and responsiveness of the Android device. The most commonly cloned apps are similar to the mechanics of the Hill Climb Racing, Temple Run and Free Flow. The initial launch of these apps do not exhibit abnormal behavior, and the user will be able to use the app as if nothing is wrong.
The researchers also highlighted that Google Play Store still highly dependent on the report of individual users to detect malicious apps. This is a huge contrast to what Google has been hyping regarding its Google Play Protect, a hidden service within the Google Play Store, which supposed to auto-scan and auto-delete detected malicious apps. Data61 reported that 35% of the apps they have detected as malicious were already removed from the Play Store, but it is through the extensive participation of Android users of reporting the apps.
Google for more than a decade now has tried its best to secure Android, the search giant started with the “Verify Apps” campaign, where uploaded apps in the store are scanned by Google-bots for malicious behavior but that was proven ineffective. Verify Apps feature was canceled to give way to Google Play Protect, which the company claims of utilizing advanced Artificial Intelligence. It is designed to determine if an app exhibits malicious actions and reactions using simulated stimuli by the AI (testing the app in the store, as if it is installed on an actual Android device).
However, Google itself admitted that it is tricky to fully secure the mobile platform given the extensive openness of Android, from hundreds of different vendors with tens-of-thousands configurations and hardware combinations possible. Google is strongly recommending to check the publisher of the app before installing it. All apps available in the Google Play Store are sorted, identified to a particular developer, and that developer’s name is revealed in the app’s download page itself.
The search giant is also strongly recommending users with Android Marshmallow 6.0 and newer to review the permissions they grant to apps they install. Android 6.0 and up provides extensive permission settings accessible by the users, which they can deny or grant permissions and app developers are expected to respect that choice. The app should continue to work as normal unless the permission is critical to its functionality is denied (like a camera app with camera permission expressly denied by the user).