Here’s why the Google Play Store is a malware infected hellscape

Rael Hornby
·3 min read
Google Play Store app icon up close on phone display
Google Play Store app icon up close on phone display

Not a week goes by without the Google Play Store playing some part in delivering a strange new malware designed to steal from or spy on Android users — if it’s a good week, it’ll even manage both.

Many have been left puzzled by how the Google Play Store became more riddled with viruses than a sailor on shore leave — but not Google, who seem to have figured out how hackers are manipulating its platform to their benefit.

Google Play Store: A weakness exposed

A recent threat report published by Google’s Cybersecurity Action Team indicated that, in spite of a recent spike in cases, less than 1% of all downloads from Google Play are what the company calls Potentially Harmful Applications (or PHAs).

Google thoroughly evaluates all apps before release onto the Google Play Store and when PHAs are detected they’re quick to act — promptly removing apps and terminating developer accounts.

However, knowing this to be the case, dastardly developers have switched tactics. Instead of allowing a harmful app to go through Google’s evaluation process and risk getting flagged as a PHA, malicious actors will submit an innocuous and seemingly legitimate app for Play Store evaluation at first to gain Google’s trust.

However, once the app is on the Play Store it will receive an update from a third-party server — altering the app's code and functionality, allowing malicious extensions to execute freely.

Diagram showing how DCL and versioning bypasses Google's Play Store security checks
Diagram showing how DCL and versioning bypasses Google's Play Store security checks

Versioning: How good apps go bad

This process is called versioning — a circumvention of Google Play’s policy against any apps that can “modify, replace, or update itself using any other method than Google Play’s update mechanism.”

Google has identified one instance of versioning as Dynamic Code Loading (or DCL). DCL apps have the potential to download and run code from untrusted sources beyond the walled garden of the Google Play environment. This allows previously legitimate apps to bypass Google’s PHA checks and convert themselves into malware or spyware right under Google’s noses.

Google does state that apps making use of DCL “violate Google Play Deceptive Behavior policy and may be categorized as a backdoor.”

Outlook

While Google has identified one of the main pipelines to malicious apps appearing on its platform, the report fails to indicate exactly how they plan to combat it. However, it’s highly unlikely that the Cybersecurity Action Team behind the report are willing to allow malicious actors to continue with their efforts for much longer.

Could we see a Play Store crackdown on DCL apps in the near future? Quite possibly. Google will no doubt be keen to patch up its app platform's biggest security flaw and hard at work on sealing shut any backdoor vulnerabilities currently being exploited.

For news, rumors, and updates on all things cybersecurity and tech, follow Laptop Mag on TwitterFacebook, and Flipboard for the latest word as it arrives.