Not a month goes by without security researchers finding new malicious apps on Google Play. According to BitDefender, more than one percent of 420,000+ analyzed apps offered on Google’s official Android store are repackaged versions of legitimate apps. In the long run, their existence hurts the users, the legitimate developers, and Google’s reputation in general.
Google Play has recently surpassed the one million mark when it comes to the apps it offers, and the researchers have analyzed a good chunk of the total in order to discover just how many are hiding their true nature.
One interesting thing they found out is there are many copy-cat developers – 2,140 at the time of the survey – that obviously make enough money to justify their return to the store each time they get kicked out. It doesn’t help that the one-time fee to register a developer account is only $25.
“By design, Android applications can be disassembled, modified and reassembled to provide new functionalities. This way an attacker can easily rip an APK off the Play Store, turn it into program code, modify it and distribute it as its own,” explains Loredana Botezatu, communication specialist at Bitdefender. “Out of the 420,646 applications analyzed, more than 5077 APKs have been copies of other apps in Google Play.”
Most of the time these opportunistic “developers” are only looking to add a new advertising SDK to the repackaged app in order to redirect the money that should go to the developers of the original applications to their own pocket.
But sometimes they also change the apps to collect more information (location, device ID, contacts list, call history, etc.) than the original one, or to be able to make phone calls and send text messages on behalf of the unsuspecting users.
“Instead of spending thousands or hundreds of thousands of dollars developing, testing and marketing a great application to monetize, plagiarists take the road that is less time-costly and less resource intensive by simply hijacking a successful application at the original developer’s expenses,” Botezatu points out.
Obviously, the most targeted are those that are most popular, such as Facebook’s and Twitter’s, but also game apps.
Almost universally, these repackaged apps can be downloaded for free, where the download of the original ones costs. Knowing that many, many users are looking for a free ride, scammy “developers” are not going to hinder their own efforts by making users pay to get the app and, in the end, they don’t need them to: they obviously get enough money by serving them ads and collecting (and effectively selling) their data.
Legitimate developers are losing money directly. Instead of getting paid for their efforts, many users choose the “free” versions of the popular apps. In a case study covering the legitimate Riptide GP2 game by Vector Unit and its copycats, the multiple repackaged apps were downloaded tens of thousand times, and the original developer missed out on new users and lost a considerable amount of money.
As much as Google makes a good effort to remove such apps from the store, it still takes some time to spot them. In the meantime, the copycat developers manage to earn themselves enough money to continue doing this and to earn themselves a living.