September 1, 2016

Don’t trust the reviews and ratings on Google Play

Threats

Sometimes Android users have to download murky apps from Google Play. By “murky” we mean unfamiliar apps, apps from small publishers, and so forth — not the likes of Evernote, Dropbox, banking apps, or other popular programs. It might be a specialized engineering calculator, for example, or an alternative music player.

Don't trust the reviews and ratings on Google Play

Many such apps exist in the Google Play store — thousands of them, in fact. And choosing isn’t easy. Seasoned Android users recommend going with the apps that have been downloaded the most times, the highest-rated apps, or the apps reviewed by the most people.

It seems to make perfect sense: The odds are good that an app downloaded by a lot of people is convenient and useful. And a higher rating means that users liked the app. Lots of reviews should also mean the program is popular. Together, these three criteria represent something like karma for the app.

That doesn’t mean an app with few downloads and ratings is necessarily bad; it could be that the app is new and the community hasn’t had a chance to weigh in yet. But download and review number plus rating is generally considered a viable formula for prejudging an app. After all, reviews and rating were designed to make the system work.

However, the matter is not that simple: Android Trojans can silently download apps to users’ smartphones, write fake reviews, and artificially boost ratings.

The key tool for all of that is rootkit Trojans, one of the most prolific types of mobile malware. These Trojans usually come bundled with popular apps from third-party app stores. They can also infiltrate a smartphone by means of SMS spam or malicious ads on websites.

Rootkits get their name from their ability to “root” a system (i.e., to get system-level access privileges) and thus gain total control over the targeted device. They can send SMS, download other apps, and do a number of other things without the user’s consent or knowledge. In some cases, rootkits use Google Play to do their bidding.

For example, Guerilla, a Trojan distributed by the Leech rootkit, attempts to steal user credentials from Google Play. Then it uses the store’s API, masquerading as a client, and downloads, rates, and reviews apps on behalf of the user.

This presents an opportunity for cybercriminals, who can enable infected smartphones to buy useless apps. They may also pursue another business model, selling “boost-your-rating” services to developers — or the flip side, downgrading an app to benefit its competitors.

Reviews are a bit more complicated: Identical reviews would look fishy, and the language needs to seem natural. But fake yet plausible reviews are not at all unusual: “Great app, works for me!” or “Everything is alright, just add language support,” and so forth.

The perpetrators can generate a database of typical reviews and use Trojans to pick and post reviews randomly, eventually making them look quite natural.

It boils down to this: You should not blindly trust Google Play reviews and ratings. But what, then? How should you choose an app?

Here are some tips:

1. Try to stick to apps made by known and trusted developers. Look for a blue diamond sign, which indicates a “top developer” as determined by the Google Play team. Of course, not all good developers have this diamond, but nonetheless, a good developer’s name should be reasonably well known: Look it up on the Internet.

2. Read the reviews. Yes, despite opportunities for mischief, if an app is worthy, it will have some detailed reviews, not just one-liners like “All is working, good job.” Such longish reviews are indispensable when you need to get an initial impression.

3. Install a security solution on your Android device. The probability of downloading a malicious app from Google Play is quite low, but such apps are actively distributed using SMS and malicious ads. A security solution will spare you becoming a puppet to cybercriminals and posting fake reviews without even knowing it.