Google Play is ramping up its offensive against malicious apps, which have continued to plague the official app store for Android devices over the years.
In a Wednesday post, Andrew Ahn, product manager at Google Play, said that the number of app submissions that were rejected on the app marketplace increased by more than 55 percent in 2018. The number of app suspensions on Google Play also jutted up by 66 percent in 2018, he said.
“These increases can be attributed to our continued efforts to tighten policies to reduce the number of harmful apps on the Play Store, as well as our investments in automated protections and human review processes that play critical roles in identifying and enforcing on bad apps,” said Ahn.
Part of these security measures was the introduction in 2018 of a series of new policies to protect users from new abuse trends. One of those policies restricted the use of SMS and Call Log permissions to a limited number of situations (such as if an app was selected as the default app for making calls or sending texts).
Also in 2018, Google expanded the number of bug bounties available in its Google Play Security Reward Program, in an attempt to mitigate malicious apps.
According to Google Play’s developer policy center, the marketplace maintains several policies and restrictions around user data, permissions, device and network abuse, malicious behavior and misrepresentation.
Yet, despite these policies, Google Play has continued to face a slew of malicious apps that continue cropping up on its platform over the past year.
Still Work to Do
Just in this past January, Google Play removed two malicious apps that were infecting devices with a notorious banking malware bent on scooping up victim’s credentials. Also, last month an Android spyware dubbed MobSTSPY emerged to ride trojanized apps into victims’ phones, mainly via Google Play.
Also, early last year, Google removed 22 malicious adware apps ranging from flashlights and call recorders to WiFi signal boosters, which together were downloaded at least 7.5 million times from the Google Play marketplace.
Meanwhile, Android developers still play fast and loose with personal data. A report in April found that millions of apps leak personally identifiable information (PII) such as name, age, income and possibly even phone numbers and email addresses. At fault are app developers who do not protect ad-targeting data transmitted to third-party advertisers.
“App stores have been found to feature malicious apps, as well as legitimate apps that collect user information without user consent,”Usman Rahim, digital threat analyst with The Media Trust, told Threatpost. “Like IoT devices, apps are too often developed without security and privacy in mind. Free apps that feature ads are particularly vulnerable to attacks.”
Ahn noted that 80 percent of severe policy violations are conducted by repeat offenders and abusive developer networks. That means that once malicious developers are banned, they often create new accounts or buy developer accounts on the black market in order to come back to Google Play.
“We’ve further enhanced our clustering and account matching technologies, and by combining these technologies with the expertise of our human reviewers, we’ve made it more difficult for spammy developer networks to gain installs by blocking their apps from being published in the first place,” he said.
Interested in learning more about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar on Feb. 27 at 2 p.m. ET. Join Threatpost senior editor Tara Seals and a panel of mobile security experts, including Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout. They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon, such as 5G services.