How Malware Keeps Sneaking Past Google Play’s Defenses

Lily Hay Newman
A rash of malware hit the Google Play store this summer. And while Google has taken big steps to improve Android security, there's no clear end in sight.

The standard advice for Android users to avoid downloading malicious apps is simple: Only get apps from the official Google Play Store. Unlike third-party app stores that are generally difficult to vet and validate, Google Play has built-in mechanisms to screen every app for malware, ransomware, and assorted sketchiness. So why, then, has so much malware slipped through lately?

Take just last week, when the security firm Check Point discovered a new strain of Android malware called “ExpensiveWall” lurking in about 50 apps in the Play Store. They had cumulatively been downloaded between 1 million and 4.2 million times. Even after Google removed the offenders, Check Point discovered a new sample of the malware in Google Play (which got removed as well) that had quickly racked up more than 5,000 unique downloads. Meanwhile, researchers at the security firm ESET announced in early September that they had found malicious apps from the BankBot malware family in Google Play. The applications, which had names like "Earn Real Money Gift Cards" and "Bubble Shooter Wild Life," had malware directly in them and were also built to quietly download additional nefarious apps once installed. The list goes on.

While Google has fortified Play’s scanning defenses for years—they now fall under the umbrella of Google's Play Protect security suite—malicious apps frequently slip in, and some attract millions of downloads before Google can find and remove them. Openness is Android's hallmark, and the platform's huge scale is one of its core strengths. But those factors also make the Play Store a diverse morass for Google to police. Malicious applications still best the Play Store’s defenses and threaten Android users.

“Google had to step in and increase their security systems like a bouncer, and created Google Play Protect,” says Lukas Stefanko, a malware researcher at ESET. “Attackers are constantly trying to penetrate [Google’s] security systems."

For some mobile malware researchers, discovering malicious apps in Google Play is like a badge of honor. But they caution that the cat-and-mouse game has real stakes for Android users who could fall into the traps laid by ill-intentioned apps. Some masquerade as more popular software, luring you into downloading the wrong thing. Some hide inside flashy games or attractive customization apps (need a new wallpaper for your phone?) that seem earnest and clever.

App Intruders

Sneaking bad apps through typically doesn't require exploiting elaborate vulnerabilities in the architecture of Google Play. Hackers instead use fairly straightforward tricks and techniques to dupe Play Protect's scanning, including its adaptive machine learning-based mechanisms. Apps can be set up to execute their malicious code on a time delay, so that their shady behavior doesn't start until after they've been accepted. Apps can be packaged such that their malicious components are encrypted and out of view of Play Protect's screening. And some apps don't use any special code at all, but instead attempt to trick users into downloading additional (bad) software directly from attackers' servers, making them difficult to flag as malicious.

"Google invests a lot of resources in defense, but the popularity of Android and the shift into mobile devices just increases the amount of attacks on the platform," says Michael Shaulov, the head of products, mobile and cloud security at Check Point, a company that frequently discovers and reports problematic apps. "Hackers can profile exactly how Google's detection mechanisms work and then use things like time bombs, obfuscation, and hiding their code to sneak in. They're not new tricks, but they're still effective."

Google says that it has made steady progress on thwarting malicious apps, which it calls "potentially harmful apps." The company reports that in 2016, for users who downloaded apps exclusively from the Play Store, there were PHAs on 0.05 percent of devices, compared to 0.15 percent in 2015. But with more than two billion monthly active Android devices out there, Google knows that these tiny percentages can still impact millions of users.

Adrian Ludwig, the head of Android Security, says that Google benchmarks its internal scanning and screening against all the other Android anti-malware products it can find. "We make the best antivirus that’s available for Android," he says. But Ludwig emphasizes that Google knows it doesn't catch everything, and has been reaching out more and more to increase threat-intelligence sharing and collaboration with third-party firms that find things Google misses.

"We’ve been struggling to figure out how do you get that last one percent, and we encourage the security community to reach out to us," Ludwig says. "We’re very data-oriented, but we're more concerned about making sure we’re doing the right thing than gaming the numbers. We’ve always reported on misses."

Android researchers agree, too, that the conventional wisdom about downloading apps from the Play Store still very much holds true. From there, users can take some extra steps like checking app reviews before downloading something new, and running an additional third-party Android malware scanner on top of what Google already provides. "We always advise users to spend extra time before installing apps to check app permissions and user comments, particularly focusing on negative ones," ESET's Stefanko says. "I also believe there is a need for another layer of security for users, such as a mobile security app, especially when so many harmful apps make it through Google security systems to the Play store."

Yes, companies that offer anti-malware products for Android have an economic incentive to find malicious apps in Play, hype the problem, and then tout their product as a solution. But this type of research still benefits Google and Android users overall, so Google's Ludwig chooses to focus on long-term industry information-sharing. "We’re trying to think about how we can partner with some of these other folks to get rid of the commercial aspects here and make sure that everybody is working on collaboration around the samples and the models."

An Open Question

The question now is how to dismantle the attacker business model that still drives malicious innovation to sneak into Google Play. Check Point's Shaulov notes that attackers can net hundreds of thousands of dollars per month by getting an app into Google Play, through techniques like slamming users with exploitative in-app purchases, and generating fraudulent ad revenue in infected apps.

Plus, no matter how much Android closes the gap, the perception that Apple's iOS presents a more secure mobile operating system still dogs it. Malware does make its way into Apple's App Store from time to time, but attackers and researchers alike seem more focused on Android. "It's always interesting to see these problems mostly appearing for Android, and not for iOS," says Yanick Fratantonio, a mobile security researcher at the French graduate engineering school Eurecom. "It could be that Apple is stricter, or it could be that the bad guys opt to attack Android because it has a bigger user base."

And that's the real catch. Ultimately, security in the Play Store—no matter how robust and advanced it gets—is at odds with Android's broader design and philosophical approach. "Google is in a difficult position, for a while they were basically trying to get themselves on par with Apple," Check Point's Shaulov says. "But unfortunately the way that their platform is architected they will never get to that point because Android has a different advantage. Their operating system is open. It makes them the market leaders, but it also gives the hackers space to play."