A two year study has discovered 2040 malware-laden counterfeit apps in Android app store, Google Play.
Researchers from the University of Sydney and CSIRO’s Data61 investigated more than a million apps available on Google Play, discovering a huge number impersonated popular games and contained malware.
Other fake apps were malware-free but requested “dangerous” data access permissions. Games Temple Run, Free Flow and Hill Climb Racing were among the most commonly counterfeited.
The researchers used neural networks to identify visually similar app icons and partially plagiarised text descriptions of the top 10,000 most popular apps in the Play Store. The ‘multi-modal embedding’ machine learning model threw up 49,608 potential counterfeits.
The potential counterfeits were then checked for malware using the private API of online malware analysis tool VirusTotal. While 7246 were tagged by at least one anti-virus tools, the researchers used a ‘relaxed threshold’ leaving them with 2040 high-risk, fake apps.
The study also considered permission requests and embedded ad libraries, finding 1,565 asked for at least five dangerous permissions, and 1407 had at least five embedded third party ad libraries.
“While Google Play’s success is marked on its flexibility and customisable features that allow almost anyone to build an app, there have been a number of problematic apps that have slipped through the cracks and have bypassed automated vetting processes,” said study co-author Dr Suranga Seneviratne from the University of Sydney.
“Our society is increasingly reliant on smartphone technology so it’s important that we build solutions to quickly detect and contain malicious apps before affecting a wider population of smartphone users,” he added.
The paper – A Multi-modal Neural Embeddings Approach for Detecting Mobile Counterfeit Apps which was presented at the World Wide Web Conference in California in May – notes that since the apps were discovered, around 35 per cent are no longer available in the Play Store, “potentially removed due to customer complaints”.
Bad app battle
Google says that it now removes malicious developers from Play much faster, and last year stopped more malicious apps from entering the store than ever before.
The number of rejected app submissions increased by more than 55 per cent in 2018, and app suspensions increased by more than 66 per cent, the company said.
“These increases can be attributed to our continued efforts to tighten policies to reduce the number of harmful apps on the Play Store, as well as our investments in automated protections and human review processes that play critical roles in identifying and enforcing on bad apps,” wrote Google Play product manager Andrew Ahn in a February blog post.
Attempting to deceive users by impersonating famous apps is one of the most common Play Store violations, Google says. In 2017, the last available figures, Google took down more than a quarter of a million impersonating apps.
As well as increasing the number of people working on abuse detection technologies, Google last year introduced Google Play Protect, which scans apps on user devices to “make sure that everything remains spot on”.
It has also updated policies around permissions, resulting in the removal last year of “tens of thousands of apps that weren't in compliance”.
“We plan to introduce additional policies for device permissions and user data throughout 2019,” Ahn wrote.
“Despite our enhanced and added layers of defense against bad apps, we know bad actors will continue to try to evade our systems by changing their tactics and cloaking bad behaviors. We will continue to enhance our capabilities to counter such adversarial behaviour, and work relentlessly to provide our users with a secure and safe app store,” he added.
Making the Play Store a safe, counterfeit free environment is a never ending battle for Google.
In September ESET researchers revealed more than a thousand people had downloaded malicious banking apps impersonating legitimate ANZ and Commonwealth Bank apps from the Play Store.
This month, Google banned an entire portfolio of apps by a Chinese developer DO Global after a Buzzfeed investigation found a number were “abusing permission and committing ad fraud”.
The Data61/University of Sydney study was partially funded by Google, through its Faculty Research Awards, as well as the NSW Cyber Security Network and the federal government’s Defence Science and Technology group.
“Many fake apps appear innocent and legitimate – smartphone users can easily fall victim to app impersonations and even a tech-savvy user may struggle to detect them before installation,” Seneviratne said.
“In an open app ecosystem like Google Play the barrier to entry is low so it’s relatively easy for fake apps to infiltrate the market, leaving users at risk of being hacked,” he added.