If Google blocks 99% of dodgy Play apps, why do Androids keep getting infected?

Google has taken steps to quell the Google Play malware panic by claiming that 99% of abusive apps are caught before they hit the Android store. But, does that mean your smartphone is safe?

Google claims it uses a combination of its rewards programme, Play store reviews and machine learning models to catch all but 1% of dodgy apps, ranging from fraud to malware.

“With the unique combination of people-powered programs like the Google Play Security Rewards Program, more than 1,700 workflow human reviewers, and new machine learning models and techniques, we can catch 99% of abusive apps, from impersonation and fraud to inappropriate content and malware,” wrote Google in a guide titled ‘How Google Play Works’.

But, if Google is blocking such a high percentage of malware, why do millions Android users keep getting caught out by infected PDF scanners and virus-ridden photography apps and messaging services?

According to a report published by Kaspersky in September, malicious apps often manage to slip through Google Play’s safeguards by being legitimate apps. The apps only begin acting dodgy via a seemingly harmless update or add-on function, after gaining the trust of a high number of users.

One example of this was CamScanner. The PDF scanner rattled up more than 100 million users before a stealthy Trojan snuck into one of its advertising modules, forcing a number of smartphones to take out paid subscriptions behind user backs.

Trusted Reviews reached out to McAfee’s head of cyber investigations John Fokker who explained how this can happen.

“Apps stores don’t always made it clear how the lifecycle and ownership of apps are monitored”, explained Fokker. “For example, an app may be legitimate today, but if the app developer doesn’t update it regularly or decides to hand over ownership to a third party, whether that be after months or years of the app originally being available for download, the new owner will have access to the app data and could harvest this for a malicious purpose”.

Related: Best Phone

We also spoke to Arxan Technologies’ senior technical director EMEA Winston Bond, who explained that it is often left up to the user to keep an eye on what they’re downloading.

“Over the past two years we have seen news of malicious and fake apps parading on the Google Play Store so it’s good to see Google taking action to prevent this from happening”, said Bond. “That said, being able to catch 99% of abusive apps means that 1% of abusive apps being developed could still end up on the store, and ultimately on users’ phones.

“Unfortunately, this means some of the onus for keeping data secure must fall to those users and the owners of the apps handling their data”.

According to Google’s Android Security & Privacy year in review, the amount of malware found in the Play store actually doubled in 2018 from 0.02% to 0.04%, though Google explained that the main reason for this was the inclusion of click-fraud apps in the company’s definition of Potentially Harmful Applications, or PHAs.

Despite this 100% increase, apps downloaded from locations outside of the Play store continue to pose a much higher risk for users.

While the number of PHAs originating outside the Play store has decreased since the introduction of safeguards like Play Protect, over a quarter of malicious apps download outside of the Play store continue to go undetected until its too late.

Related: Best Android Phones

Arxan Technologies Aaron Lint added that this Google’s definition of PHAs does not include business-level threats.

“In addition to the point about 99/1, I think it would also be germane to mention the fact that it doesn’t include business-level threats against an institution”, wrote Lint. “They are trying to detect information leakage across apps, environmental compromise, and some other user facing fraud pieces, but there is not anything listed here which would protect against a malicious user targeting the applications that are legitimately deployed from the app store to accomplish fraud directly”.

So, how can you protect your phone if malware slips through Google’s cracks?

Kaspersky principal security researcher David Emm recommends that Android users take a few basic steps to protect their phones.

These include securing your device with a passcode, ensuring that you have reliable security software, blocking third-party devices from installing on your device, double checking what permissions your apps want from you and periodically wiping any unwanted apps from your device.

“Take the time to read the reviews, and keep an eye out for ones that mention that the app is falsely advertised, or has had issues with security”, adds Fokker. “When in doubt, avoid any app that seems remotely fishy”.