Google: Malware in Google Play doubled in 2018 because of click-fraud apps

Click-fraud apps drove a 100 percent year-over-year increase in the amount of malware installed from Google Play in 2018.

Over half of the malware in Google Play comes from click-fraud apps Click-fraud apps drove a 100 percent year-over-year increase in the amount of malware installed from Google Play in 2018.

Google has revealed that malware installed from Google Play grew by 100 percent last year. But the company says the main reason for the growth is that for the first time its definition of "potentially harmful apps" (PHAs) now includes click-fraud apps. 

Google offers the numbers in its annual Android security report covering malware trends in 2018. While there is a steady flow of reports about new adware and other malware found in the Google Play Store, Google emphasizes the rates are actually very low and that users are much safer only installing apps from Google Play. 

Due to the inclusion of click-fraud apps – aka adware – the PHA install rate grew from 0.02 percent in 2017 to 0.04 percent last year. Previously, Google treated click-fraud apps as a mere Play Store policy violation. The company contends that if it removed click-fraud stats, it would show PHAs installed from the official store declined by 31 percent year over year. 

Click-fraud apps accounted for 55 percent of all PHAs installed through the Play Store, far outweighing any other category. The second-largest category by install rate are trojans at 16 percent. 

Click-fraud apps mostly targeted users in the USA, Brazil, and Mexico, according to Google. 

The prevalence of click-fraud apps is a result of app developers unintentionally including an embedded software developer kit (SDK) that's actually responsible for the fraud.   

"Distributing click-fraud code in this way is easily scalable and makes it easy for click-fraud SDK developers to be present in the apps of hundreds or even thousands of developers," Google notes in the report. 

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

As for PHA installs from outside the Play Store, Google claims Android's Google Play Protect anti-malware system prevented 1.6 billion PHA installation attempts last year. Google Play Protect stopped 73 percent of PHA installs from outside the store, marking a 20 percent improvement on last year. 

The type of malware also differs outside the Play Store, with backdoors dominating by install rate and distribution. According to Google, 28 percent of malware outside the Play Store are backdoors, while 25 percent are trojans, 22 percent are hostile downloads, and just 13 percent are click-fraud apps. The backdoor apps mostly target Android users in Russia, Brazil, Mexico, and Vietnam. 

Google attributes the dominance of trojans outside the store to the Chamois family of malware, which are often preinstalled on popular Android devices from certain OEMs. 

"Chamois apps are preinstalled on popular devices from different OEMs that didn't carefully scan for malware. As a consequence, users are buying compromised systems. When users start up their new devices, the preinstalled Chamois apps (usually disguised as system apps) download and install PHAs and other apps in the background."

screenshot-2019-04-01-at-12-07-31.png

Google has plotted the percentage of potentially harmful apps installed by market segment between 2016 and 2018. 

Image: Google's Android Security & Privacy 2018 Year In Review

More on Google Android security and adware