Play Store identified as main distribution vector for most Android malware

Mammoth research project using Symantec (now NortonLifeLock) telemetry confirms what everyone suspected.
Written by Catalin Cimpanu, Contributor
Google Play Store
Image: Google, ZDNet

The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study — considered the largest one of its kind carried out to date.

Using telemetry data provided by NortonLifeLock (formerly Symantec), researchers analyzed the origin of app installations on more than 12 million Android devices for a four-month period between June and September 2019.

In total, researchers looked at more than 34 million APK (Android application) installs for 7.9 million unique apps.

Researchers said that depending on different classifications of Android malware, between 10% and 24% of the apps they analyzed could be described as malicious or unwanted applications.

But the researchers focused specifically on the "who-installs-who relationships between installers and child apps" to discover the path malicious apps take to reach user devices.

The research team said it looked at 12 major categories that result in app installations, which included:

  1. Apps installed from the official Play Store
  2. Apps installed from alternative markets (aka third-party app stores),
  3. Apps downloaded via web browsers
  4. Apps installed via commercial PPI (pay-per-install) programs
  5. Apps installed via backup and restore operations
  6. Apps installed from an instant message (IM)
  7. Apps installed via phone theme stores
  8. App installed loaded on disk and installed via the local file manager
  9. Apps installed from file sharing apps
  10. Apps preloaded on the device (bloatware)
  11. Apps installed via mobile device management (MDM) servers (apps installed by enterprises on their employee's devices)
  12. Apps installed via package installers

The results showed that around 67% of the malicious app installs researchers identified came from the Google Play Store.

In a distant second, with 10%, came alternative markets, dispelling a pretty common assumption that most Android malware these days comes from third-party app stores.

But the research team pointted out that despite the large number of malware originating from Google's official app store, the Play Store had a small threat-to-legitimate app install ratio (VDR), with only 0.6%, leading researchers to say that "the Play market defenses against unwanted apps work," even if some apps slipped through the cracks sometimes. However, due to the Play Store sheer size, this slippage ended up dwarfing any other source.

If we are to ignore sheer numbers and take the VDR index as a a primary indicator for maliciousness, the research shows that users are more likely to install malware by downloading it from web pages via their browsers or from alternative markets.

Image: Kotzias et al.

The research, titled "How Did That Get In My Phone? Unwanted App Distribution on Android Devices," is available for download in PDF format and was authored by researchers from NortonLifeLock and the IMDEA Software Institute in Madrid, Spain.

Article updated on November 12 at Google's request to highlight the Play's Store's low VDR index compared to other sources.

10 best smartphones not made in China

Editorial standards