Google has revealed that malware installed from Google Play grew by 100 percent last year. But the company says the main reason for the growth is that for the first time its definition of "potentially harmful apps" (PHAs) now includes click-fraud apps.
Due to the inclusion of click-fraud apps – aka adware – the PHA install rate grew from 0.02 percent in 2017 to 0.04 percent last year. Previously, Google treated click-fraud apps as a mere Play Store policy violation. The company contends that if it removed click-fraud stats, it would show PHAs installed from the official store declined by 31 percent year over year.
Click-fraud apps accounted for 55 percent of all PHAs installed through the Play Store, far outweighing any other category. The second-largest category by install rate are trojans at 16 percent.
Click-fraud apps mostly targeted users in the USA, Brazil, and Mexico, according to Google.
The prevalence of click-fraud apps is a result of app developers unintentionally including an embedded software developer kit (SDK) that's actually responsible for the fraud.
"Distributing click-fraud code in this way is easily scalable and makes it easy for click-fraud SDK developers to be present in the apps of hundreds or even thousands of developers," Google notes in the report.
As for PHA installs from outside the Play Store, Google claims Android's Google Play Protect anti-malware system prevented 1.6 billion PHA installation attempts last year. Google Play Protect stopped 73 percent of PHA installs from outside the store, marking a 20 percent improvement on last year.
The type of malware also differs outside the Play Store, with backdoors dominating by install rate and distribution. According to Google, 28 percent of malware outside the Play Store are backdoors, while 25 percent are trojans, 22 percent are hostile downloads, and just 13 percent are click-fraud apps. The backdoor apps mostly target Android users in Russia, Brazil, Mexico, and Vietnam.
Google attributes the dominance of trojans outside the store to the Chamois family of malware, which are often preinstalled on popular Android devices from certain OEMs.
"Chamois apps are preinstalled on popular devices from different OEMs that didn't carefully scan for malware. As a consequence, users are buying compromised systems. When users start up their new devices, the preinstalled Chamois apps (usually disguised as system apps) download and install PHAs and other apps in the background."