Study Finds Google Play Store Hosts Thousands Of Malware-Laden Counterfeit Android Apps

Google Play Store
It is often recommended that one of the best ways to avoid malware on mobile devices is to stick with established, reputable app stores. The two big ones are Google's Play Store and Apple's App Store, for Android and iOS, respectively. But is this a foolproof way to avoid malware? The answer is no, according to a two-year study.

The study was conducted by researchers from the University of Sydney and Commonwealth Scientific and Industrial Research Organization's Data61. It focused solely on Android apps in the Play Store. The researchers found that counterfeit apps impersonating popular legitimate apps have become so sneaky that even a tech-savvy user might struggle to detect that something is awry.

"We were able to find 2,040 potential counterfeits that contain malware in a set of 49,608 apps that showed high similarity to one of the top-10,000 popular apps in Google Play Store," the study states. "We also [found] 1,565 potential counterfeits asking for at least five additional dangerous permissions than the original app and 1,407 potential counterfeits having at least five extra third-party advertisement libraries."

In the games category, Temple Run was one of the most frequently counterfeited apps, as were Free Flow and Hill Climb Racing. Interesting, the researchers created a convolutional neural network to analyze the app icons of more than 1 million apps in the Play Store.

That information was then used to group app categories and visual similarities between various apps, which in turn resulted in the 49,608 apps being tagged as possibly counterfeit. Those were then run through a VirusTotal scan to check for malware.

The sheer number of apps and ongoing submissions underscore the herculean task that Google and Apple face. For Google's part, it has acknowledged that "keeping the Android ecosystem secure is no easy task," but believes its Google Play Protect mechanism is up to the task.

Despite Google's confidence, malicious can and do sneak through the gates. Users are still better off downloading apps from the Play Store versus random places on the web, but should also practice caution in exactly what is being installed, and the permissions that apps ask for.