Infosec expert viewpoint: Google Play malware

Cyber Chief Magazine brings you the tactics to uncover and neutralize the insider threat

Researchers routinely discover a variety of malicious apps on Google Play, some of which have been downloaded and installed on millions of devices worldwide.

Here’s what infosec experts think about the security of Google Play, what they think Google should do better, and what users can do in order to protect themselves from malicious apps on the official Android app store.

Google Play malware

Chris Boyd, Lead Malware Intelligence Analyst, Malwarebytes

Google Play continues to have issues where malware is concerned. In fact, barely a week goes by without another tale of rogue apps sneaking onto the store. Over the years, many things have been tried. Manually checking apps. The “Bouncer” policing store submissions, almost immediately fingerprinted by researchers. The Play Protect rollout checking both store and device for threats, alongside “Verified by Play Protect” badges that certain apps sport. However, none of it is solving the problem.

Regardless of gains made, the current state of play is that no matter what Google tries, bad apps are still ending up on what should be the ultimate safe haven for Android owners. Researchers, like myself, advise mobile owners to steer clear of imitation stores, standalone downloads, and not to disable the “disallow installs from unknown sources” option in security settings.

We should be able to tell them they can feel at least a little bit confident about downloading from official sources, because that’s what all the advice we give people steers them towards. It’s frustrating to see that this still isn’t the case.

Part of me wishes official app stores would regularly suspend new submissions so they can vet more thoroughly everything already in the system. How many flashlight apps or cookie cutter mobile games do we really need?

It’s evident that the current “churn” process simply doesn’t let organisations take the steps they need to lock everything down and protect their users as securely as they could. Google needs to rip the band-aid off and apply something a little more permanent.

Google Play malware

Jordan Herman, Threat Researcher at RiskIQ

Google Play has reduced the number of malicious apps in its stores, but its protections remain circumventable with relatively simple tricks such as encrypting malicious code, delaying execution of malicious code, or using social engineering in-app to trick users into downloading malicious apps from the attackers’ own servers.

Google can address this via a fundamental shift of the Play Store from open to closed, locking it down and more intensively scrutinizing apps and updates. However, I’m certain there’s a contingent of users who would oppose such a move as the openness of Android is what attracted them in the first place.

Another issue facing Google Play security is the complex and fragmentary nature of the Android device ecosystem, which has given rise to a patching problem, as unpatched devices are attractive targets. Google has been striving to improve on this issue, but a lack of direct control (multiple wireless carriers and manufacturers are responsible for pushing patches to a multitude of devices) will continue to hamper its efforts.

Users should be discerning and skeptical when downloading anything and have passive protection along with regular backups. Watch out for malicious apps mimicking popular, reputable apps and check an app’s permissions to make sure it does not have access beyond its stated functionality. Although they cannot make up for preventative measures such as checking permissions, anti-malware products provide some protection from malicious code and can partially make up for failures to avoid malicious apps.

Google Play malware

Irfan Asrar, Senior Manager, Malware Threat Research and Operations at McAfee

While Google has been successful in improving policing of malicious apps on Google Play, like anything connected, there are still potential malware threats. It is important that users take precautions when downloading and playing mobile apps, such as:

Research apps before downloading. Check reviews by other users and conduct research on the developer before downloading a new app. It only takes a couple of minutes, but is a simple preventative measure that can go a long way for one’s security.

Beware Dead Apps. When potential issues, such as malicious code or privacy/copyright infringement, have been identified within previously released apps, they are removed from Google Play, but can still be found on devices. Security solutions can easily identify such a apps and remove them.

Avoid third-party app stores. Given Google Play is where most mobile games are shopped for, it’s also where most legitimate developers release their apps. If a game is listed elsewhere, it should be considered suspicious and one should think twice before downloading.

Install a comprehensive security solution. A security solution is a great tool that helps identify early threats and alerts mobile users if malware is present.

Google Play malware

Rick McElroy, Security Strategist at Carbon Black

Regarding better security for Google Play, Google should continue on the path it’s already established; the company has made significant progress. Given the open nature of Android, Google is doing a good job at trying to keep bad stuff out. Improvements still need to be made, though. Oreo, for example, had a lot of needed security enhancements.

One recommendation is to integrate more threat intelligence sources into “Play Protect.” Doing so would give Google a broader set of patterns to detect malicious apps entering the Play store. They have made progress in this realm, but enhancing threat intelligence is always a good idea.

Secondarily, and I would say this of anyone doing sandboxing, it will become critical to let the applications run. Sandboxing generally looks for bad activity in a given time frame. Malicious code writers have figured out how to evade sandboxes. They simply figure out the time threshold and set their application to execute after that window of time and the technology is evaded. These techniques will continue to be a cat-and-mouse game for any team analyzing malicious software.

Given the open nature of Android it’s not surprising that their numbers are different than Apple’s. You can’t really do a 1-for-1 comparison on the models.