Fake App Epidemic Hits Google Play Store

I’m sure you’ve been told many times that you should not download apps from third party sites. Either download them directly from the company site or download them from a trusted site like Google Play Store. Now, however, it looks like you can’t even be safe if you do that.

It’s not like Google isn’t trying. They claim that Google Play Protect scans and verifies over 50 billion apps a day on devices around the world. In addition, they claim that, “all Android apps undergo rigorous security testing before appearing in the Google Play Store. We vet every app and developer in Google Play, and suspend those who violate our policies. Then, Play Protect scans billions of apps daily to make sure everything remains spot on.” Yet, that said, bad apps keep getting through, even though the percent that do so is low; according to Google, less than 1%. Nonetheless, 1% of 1 billion is still 10 million… just saying.

So there are a number of Potentially Harmful Apps (PHA) on Google Play at any one time. These vary in the degree of damage they can cause to visitors downloading from the site. The type of infection and its prevalence has been published by Google.

app trojan

Notice that apps containing Trojans lead the way, and that’s not good. These apps release malware that can quickly gain control of your device. These are often RATs (Remote Access Trojans) which enable hackers to control your device remotely. This means that criminals can turn on your camera and microphone, watch your browsing, see all of your passwords, and explore all of your files. They can upload anything they find to their own servers, if this is their goal.

It is good to keep in mind that not all apps are created equal. Some app categories are more easily infected than others. Recently, the three most infected categories are apps for Android updates, antivirus apps, and photo editing apps. Any app can be fake but these seem to sneak by Google’s defenses more consistently than most.

Apps Promising Android Updates

Everyone, or mostly everyone, wants to get the latest version of Android as soon as possible. In fact, initial releases of the next version of Android, Android Q, are already being farmed out to developers. Expect to see fake apps promising you a chance to be the first to get this upgrade.

These fake apps generally just deliver nonstop ads. In addition, they will often give you a message saying that they will not be functional until you give them a 5 star rating. This is why you should not choose an app by the rating alone. Your best bet is to read the comments to see if any other users are having troubles.

The developers of this adware app make money by presenting ads to as many users as possible, however, they will not upgrade your version of Android. Here is a comment of one user of these upgrade apps.

update review

Photo Editing Apps

These apps seem more invasive than most of the fake Android update apps. They purposely try to hide themselves on your device so that they will be difficult to remove. They will then direct you to phishing pages in an attempt to have you give up personal information. Occasionally, they will try to get you to pay for an app, like a special video player, that will never work. In addition, they will have you upload a photo that you want to have “beautified” to their servers. This will not happen and they will keep your photo, possibly, to make a fake social media account.

Here is a photo editing app I found as I was researching this topic. It has all the signs of being fake, though it tries to make itself look legitimate by copying some images from real photo editing apps.

beauty pro
privacy policy

It looks pretty good, so why do I think it’s fake? First of all, look at the developer’s email address. Fake app developers usually don’t have websites and give a Gmail address as a contact. In addition, if you try to check their privacy policy, you are sent to an inoperative website in India. The one review for this app only says, “fake app”. Despite this, over 5000 people have apparently downloaded it. The question is: How did it get through Google’s defenses. I will address that later.

Fake Antivirus Apps

There are many of these and they are among the most dangerous apps to download. The reason for this is that antivirus programs, by definition, have access to all the files on your device.

AV Comparatives recently tested 250 antimalware apps on Google Play. The company claimed that “we found the malware protection of almost 40% of the tested Android AV apps to be inappropriate.” Of the 250 apps tested, 138 detected less than 30% of detectable malware. The ‘detectable malware’ was in the form of the 2000 most common malware threats of 2018. The inability of these apps to detect more than 30% of these samples qualified them as fake apps.

These fake antivirus apps can be broken into three categories; ineffective apps, adware apps, and malicious apps. Ineffective apps may work in principle, but they only detect a few samples of old malware. They are often designed by amateur developers who want to make some money, either by selling the apps directly or by offering up a platform for advertisers. Unfortunately, those who downloaded the app in the hopes of protecting themselves from malware have been duped.

Although Google has been removing these fake antivirus/antimalware apps at a rapid rate, they are continuing to find their way onto Google Play Store. Here is one I just found.

fake anti

The app gives itself away in the usual ways. It has no website associated with it, the only contact is a Gmail address, and the link to a security policy is questionable. I’ve found a recent trend in fake apps which circumvent Google’s privacy policy. App developers are required to have a privacy policy and provide a link to it. Most of these fake app developers put a privacy policy copied from a legitimate app on a Blogspot or WordPress page. In some cases, they didn’t even take the time to put a title on the page. They simply pasted a standard privacy policy on a convenient template like the one shown below.
privacy template

I would strongly suggest that Google make such links detectable by their Google Protect algorithm.

It is likely that far more than 1% of apps on Google Play are fake. I found a number of them without much effort. Once the fake app designers learn the secrets to avoiding detection, they can swamp the store with fake apps by simply changing the app’s name and altering the developer information. The fact that certain categories have more fake apps than others simply means that the code that exists in these categories is easier to emulate. Other exploited categories will appear in the future. The reason Google Play is targeted is that it provides the scammers with a cloak of trust which they can use to get their malware downloaded onto numerous devices. So when downloading from Google Play Store don’t assume that every app you see is inherently safe. It’s always a good idea to proceed with caution.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s