Lest there be any doubt that Android is the new Windows, Google has just pulled three adware-distributing apps from its Play Store, but only after several millions devices were infected. The search giant finally removed the apps after security firm Avast alerted it to the dangers, but there is evidence that Google knew about the suspicious apps for weeks.
In a somewhat self-serving post in which it also promotes its Android security app, Avast explains how one of the three apps functioned.
“It seems to be a completely normal and well working gaming app,” Avast’s Filip Chytry writes. “This impression remains until you reboot your device and wait for a couple of days … Each time you unlock your device an ad is presented to you, warning you about a problem, e.g. that your device is infected, out of date or full of porn … You are then asked to take action. However, if you approve you get re-directed to harmful threats on fake pages, like dubious app stores and apps that attempt to send premium SMS behind your back or to apps that simply collect too much of your data for comfort while offering you no additional value.”
It’s a classic adware scheme in other words, one that relies almost solely on social engineering. But in a case like this, it falls on Google, as the arbiter of the platform’s app store, to ensure that the apps it approves meet criteria for reliability, usability and, yes, security. That’s the benefit of any first-rate mobile app platform, whether it’s from Amazon, Apple, Google, Microsoft or any other company.
Avast doesn’t address that issue, though it notes that one of those apps was downloaded between 5 and 10 million times.
But the three apps that Google just pulled—an English language card game, and an IQ test app and history app aimed at Russian speakers—were clearly suspicious and should have been caught during Google’s app approval testing process. And according to feedback in Avast’s forums, Google had been fielding complaints about these apps since last month. Worse, users examining the apps’ package files were able to easily identify the malicious bits, including the timer for when the app starts displaying bogus pop-ups on the device. This behavior wasn’t even well-hidden.
Maybe it’s time for some kind of a security overhaul of the world’s most popular mobile computing platform. Google might give it on obvious name. Something like, oh I don’t know, Trustworthy Computing.