All apps on Google Play are safe: Fact or fiction?

There’s no malware in the official Android store, right? We get to the bottom of this claim.

We always recommend downloading Android apps from official stores and nowhere else. But that doesn’t mean there are no viruses in the Google Play. It is true, however, that you’ll find fewer of them in the official store than on third-party sites, and they get removed on a regular basis.

How Google monitors the security of Android apps

It is no mean feat for malware to get into Google Play. Before they publish an app, moderators check it for compliance with an extensive list of requirements. If they find a violation, they ban the program from the store.

However, Google Play receives such a vast number of new apps and updates of existing ones that it is simply not possible for the moderators to keep track of everything. So from time to time, malicious apps do slip in. Here are some of the most striking incidents.

Ad you don’t want to see

Recently, our researchers detected malicious code in the CamScanner app for digitizing documents. Not only was the app available on Google Play, but according to the store it was installed by more than 100 million users.

What went wrong? Well, up until a certain point, CamScanner was a normal app that simply carried out its stated functions. Its developers derived income from advertising and paid features — nothing unusual so far. But that changed when a malicious advertising module was added to the app.

Malware in the shape of the Necro.n Trojan dropper snuck into one of the advertising modules and installed another Trojan tasked with downloading other muck onto the device — for example, advertising apps and programs taking out paid subscriptions to third-party services behind the user’s back.

Our experts reported the find to Google, whose administrators removed the app from the store. CamScanner’s developers also promptly removed the malicious modules from the app to get it back into the store. However, the infected version had been available for download for quite some time.

Thieving player

CamScanner is by no means the only example of an app that saw malicious features appearing after it was already available in the Google Play store. The creators of a Trojan disguised as a player for listening to music in VKontakte (VK) managed to bypass the store’s moderators in the same manner for several years.

A clean version was initially uploaded to Google Play, followed by a couple of harmless updates. But a few updates in, the app began stealing logins and passwords from VK accounts. Moreover, the victims most likely knew nothing about it, and their accounts were surreptitiously used to promote VK groups.

When the updated version of the player was unmasked and deleted from the store, its creators immediately uploaded a new one (actually, several). In 2015, no fewer than seven different builds of the malicious program were removed from Google Play. And a few more in 2016. Over a two-month period in 2017, our analysts counted 85 such apps on Google Play, one of which had been downloaded more than a million times. In addition, fake versions of Telegram by the same authors appeared in the store — these apps did not steal passwords, but they added the victim to groups and chats of interest to the cybercriminals.

Malicious army on Google Play

Alas, 85 copies of one malicious app is not where the story ends. In 2016, experts found no less than 400 games and other programs on Google Play furnished with the DressCode Trojan.

Once on a victim’s device, the malware establishes a connection with the command-and-control server and then “falls asleep.” Later, cybercriminals can use such infected sleeper gadgets for DDoS attacks, to inflate ad-banner clicks, or to infiltrate the local networks to which the gadgets are connected, such as a home network or a company’s infrastructure.

In fairness, Google Play moderators cannot really be blamed for the oversight; DressCode is quite difficult to spot — its code is so small that it gets lost in that of the media app. Besides, significantly more infected programs were detected on third-party sites than on Google Play — in total, the researchers found approximately 3,000 games, skins, and smartphone cleaning apps containing the DressCode Trojan. Yet 400 is still an awful lot.

How not to pick up malware on Google Play

As you can see, the mere fact that an app made it into the official Android store does not mean that it is safe — sometimes malware does get in. To avoid an infection, be wary of all programs, including those on Google Play, and observe several rules of digital hygiene.

  • Do not download apps to your smartphone straight away. Read user reviews of the app — they can contain valuable information about its behavior. Look for information about the developer; perhaps its past creations were removed from the store, or it is linked to some dubious stories.
  • Read user reviews with caution. Keep in mind that some shady developers may flood their pages with positive reviews, so look for reviews of a decent length (not simply “Great app!” after “Great app!”) that use natural-seeming language and have a legitimate feel.
  • Make it a rule to rid your Android smartphone or tablet of unnecessary programs once every few months. The fewer apps on the device, the easier it is to monitor and control them.
  • Use a reliable security solution — this will protect you from threats the Google Play moderators miss.

So, is it fact or fiction that there are no malicious apps on Google Play?

Fiction. Malware does occasionally infiltrate Google Play. The risk of picking up an infection in the official Android store is much lower than on third-party sites, but it still exists.