Ghost apps live on to torment Android users

Even after they've been removed from the app store, rogue apps can still be causing hassles for the people who downloaded them.
Written by Danny Palmer, Senior Writer

There's currently no means of app stores recalling malicious apps which have already been downloaded.

Image: iStock

As many as half a million Android users could be at risk from hacking, phishing, and other threats because they are still using apps they've downloaded from Google Play, which have since been removed from the store.

With more than two million apps available to download from Android's official store, sometimes malicious apps find their way through the initial screening process and are only identified as dangerous after they've been downloaded by users.

Recent examples include the data-stealing Charger ransomware, which disguised itself as a battery saver app, and the Dresscode spy malware which hid in the Google Play store as games, skins, themes, and phone optimization boosters.

In both of these cases -- and others like them -- the malicious apps were identified by cybersecurity researchers, and then removed from the app store.

However, while Google might eventually remove these threats from Play, users who have mistakenly installed malicious apps from the official Android store aren't told about the risk. Security company Intel Security said 4,000 apps have been removed from Google Play during the last year without users being notified. Some were malicious, others were abandoned by their developers.

"Dead apps need recall notices like other defective products," said Intel Security.

According to telemetry data collected by McAfee Mobile Threat Research, more than 500,000 Android devices still have these ghost apps installed on them, meaning that these users -- and the organisations they work for -- are potentially exposed to malware and data breaches.

One such threat is a Trojan designed for stealing passwords, disguised as an app which offered to help users gain Instagram followers. Once downloaded from Google Play, the malicious app directed the user to a fake Instagram login site which stole their login credentials.


The fake Instagram app steals user credentials.

Image: Intel Security

Another threat is a Trojanized photo app called 'I Love Filter', which purports to have been downloaded over a million times. Once downloaded and installed, the app requests users 'upgrade to VIP', which triggers the continuous sending of text messages to premium rate numbers, as well as providing the malicious software with the ability to carry out additional attacks.

Despite being malicious, the app is rated 3.5 out of 5.0 on Google Play, something which Intel Security researchers say demonstrates "that the rating system is not enough to go on when it comes to evaluating apps and threats". Google should inform users that they're still using a malicious app, say the researchers.

"It's time for app store curators to notify those users impacted to help keep them secure and protect their privacy," the report recommends.

But until this happens, users need to remain vigilant about what they're downloading, even if it comes from an official source.

"To avoid losing personal data to dead apps, consumers need to pay close attention to the apps they've downloaded and research the developer and reviews about any app before installing it," says Raj Samani, EMEA CTO of Intel Security.

ZDNet contacted Google, but hadn't received a reply at the time of publication.

Read more on cybercrime

Editorial standards