Can Google win its battle with Android malware?

Cybercriminals are sneaking malicious apps into Google's official app store. Can they be stopped?
Written by Danny Palmer, Senior Writer

The walled garden of iOS is more difficult to compromise than the famously open source Android platform.

Image: iStock

While most people are aware of the malicious threats targeting their computers, many still don't realise that their mobile devices are an increasingly lucrative a target for cybercriminals.

The main way smartphones are attacked is though apps, often ones which pose as innocent and useful but actually aim to steal data or in the case of ransomware, force users to pay up.

Both iOS and Android devices are targeted by hackers, but data suggests there is more Android malware in circulation than for iOS; a recent report by F-Secure goes so far as to say 99 percent of all malware that targets mobile devices is designed for Android.

Android is attractive because it holds a larger share of the mobile market than iOS does, while the walled garden of iOS is more difficult to compromise than the famously open source Android platform.

iOS users are strongly discouraged from downloading apps from anywhere other than Apple's own app store, which Apple has managed to keep nearly malware-free. In contrast, Android users are able to download from a range of app stores, and even Google's own Play store is not immune to hackers posting rogue apps.

The first few months of this year have seen multiple instances of malware being available to download from the Google Play.

The likes of the data-stealing Charger ransomware and Skinner adware have been found lurking in the Google store and in some cases, have been for months, often posing as fraudulent versions of popular apps. In one recent case, cybercriminals managed to trick 1.5 million people into installing apps designed to steal Instagram credentials.

Another example, an advert displaying Trojan, managed to find its way into the Google Play store and trick users into giving it five-star reviews to stop pop-ups. It remained available to download until cybersecurity researchers alerted Google.

Apps that promise users anything in exchange for high ratings are against the Google Play Developer Policy, yet they still made it into the store.

So why is malware still creeping into Google Play?

Google's app submission process is less restrictive than Apple's, enabling almost anyone to develop and upload an app to the open source store -- so long as they've paid a $25 fee to register as a Google Play Developer. Meanwhile, Apple developers need to go through a rigorous enrolment process and adhere to a stringent review process in order to even have a chance of getting an app into the App Store.

Google's open source philosophy may seem good in principle -- anyone can share their app via the open market -- but it's also a model which is exploited by cybercriminals, as it's easier for them to launch apps on Google Play than on Apple's app store.

That also means hackers are able to infect Android phones more easily than iPhones.

"It's not easy to gain permission for your app to send SMS on iOS, but on Android it's much easier to access these permissions. That's why you have a lot of these SMS grabbers, which cause problems for Android," explains Dioniso Zumerle, research director on mobile security at Gartner, referring to Trojan malware which steals user data.

"The openness of Android, which provides a lot of benefits for users, also provides some issues for security," says Zumerle.

Google does impose some security checks on new apps. A Google spokesperson told ZDNet that apps submitted to Google Play are "automatically scanned for potentially malicious code as well as spammy developer accounts" before they are published. The spokesperson explained how a "proactive review" process is designed to catch policy offenders as early as possible.

The company is keen to point out that security for Android is improving, as shown in its recently published Android Security Year in review. According to Google, just 0.05 percent of users who downloaded apps from the Google Play store had been infected with malware. That's down from 0.15 percent last year.

So why are malicious apps still getting through? One reason is because cybercriminals are clever. They are always finding new ways to circumvent security checks on apps, so their malware will be downloaded and they will make money.

"[For] the people submitting malware to the Google Play store, it is their business, it's their entire job in the world," says Mike Murray,VP of security research and response at mobile security firm Lookout.

"If they suck at their business, they don't eat. So they're highly motivated and they're going to do a good job and Google's going to get a huge percentage of targeting but only one mistake has to get through for them to be successful."

Many cybercriminals sneak in through the app store door, but are detected before anyone downloads their wares. Lookout alone issued 260 takedowns of Google Play malware during 2016 in its quest to make the internet a safer place. "It's our job to make it harder for bad guys to do business," says Murray.

Like Google, Lookout uses machine learning to assess the potential malicious nature of apps within the Google Play store -- but Lookout is performing this activity after the apps are available for download.

Google scans the apps when they're submitted, so hackers have now taken to hiding malicious code deep within their apps, only activating it once the app is safely in the store.

"When Google scans these apps, it sees no malicious components, no malicious code in the app uploaded to Google Play. But it's very easy for the malware developers to disguise the part which downloads additional components and it's very easy for them to create time bombs to bypass Google defences by prolonging the time before the malicious code is activated," says Daniel Padon, mobile threat researcher at Check Point.

Viking Hoarde, a malware which posed as a popular game and was downloaded by tens of thousands of people, used this technique to remain undetected for weeks, says Padon.

In an effort to combat this epidemic, Google has developed 'Verify Apps', a tool for Android devices which warns users of potentially harmful apps. But the tool isn't that well known and it's likely only to be actively used by those who are already aware of cybersecurity threats, not those who might more easily fall victim to fraudulent, unverified apps.

In addition to this, the latest version of Android -- Android 7.0 Nougat -- comes equipped with features which protect the user from common ransomware tactics. But due to the fragmented nature of the Android install base, only three percent of Android users are protected by this feature.

So what else can Google do to keep the Play Store safe from malware? For those malicious apps which have already slipped through the cracks, Padon suggests Google could use one of the same flags Check Point does: identifying user responses to a malicious app.

"Most of the malware we've seen comes with angry comments from users who've downloaded the apps and know there's something wrong immediately after. If you read the comments by the users, you could easily see what's going on," he says.

It's by analysing this sort of information -- and more -- with machine learning algorithms which has allowed Lookout aid in the removal of malicious apps from the store.

"Our machine learning is tuned so any time we get something new through the Google Play store, if it hits a certain threshold [for suspicious or malicious content], it automatically kicks it to somebody who examines it, then hits the button for a take-down if that's the case," says Lookout's Murray. He adds that Lookout's technology is used by other official software outlets to block malicious apps before they get in.

"We spent a lot of time doing take-downs for people. There are app stores in the world that use us as front door; before they publish any apps they upload them to us, we run it through our pipeline and we kick back a large number of apps."

Cybersecurity professionals say Google Play is moving in the right direction and becoming more secure, as it works with security firms and offers bounties for reporting vulnerabilities.

"I think Google has started to approach the subject a bit more seriously with some improvements in the last year or so. They've begun to work with security vendors and they're considerably developing protections -- but there's always more to be done," says Check Point's Padon.

Not only that, but cybercriminals are always looking for new security holes to exploit -- and organisations and individuals need to stay alert for potential threats.

"There's never going to be a way where any single layer of defence is enough," Murray says.


Editorial standards