Google’s great Android app purge – what it means for you
Update: Google is making it easier to find good Chrome extensions, here’s how
Going by the last few days, you have to be extremely careful when it comes to downloading apps from the Google Play Store.
This is because there has been a wave of malware that has managed to sneak into legitimate looking apps hosted on the Play Store. Through various obfuscation methods, such as hiding links to malware in apps rather than loading them with malicious code, these apps were able to circumvent Google’s security measures.
Example : Google recently removed six antivirus apps from the Play Store that were loaded with Sharkbota type of Trojan-like malware used to trick users into entering their account and banking details, which were then sucked in and sent back to a command-and-control server for hackers to use later.
Since these apps pose as fairly legit Android antivirus tools, it’s easy to see how they’ve been downloaded and installed some 15,000 times.
And the second big purge of malware-laden apps saw Google bans group of apps on 60 million devices and were found to be sending detailed data to a company with ties to US security agencies.
The apps did this plunder through an inbuilt software development kit (SDK) which was capable of collecting data about a device’s location, personal details, clipboard and some files, as well as devices on the same Wi-Fi network.
The SDK that collects this data comes from a Panama-based company called Measurement Systems. He reportedly paid developers between $100 and $10,000 a month to include the code in their apps, telling one of the developers he was collecting data for ISPs, financial and energy companies, with a focus on users in the Middle East, Asia, Central and Eastern Europe.
Somewhat worryingly, after researching Measurement Systems, Serge Egelman and Joel Reardon, two AppCensus security researchers, discovered that the SKD was tied to Vostrom Holdings, a Virginia defense company that works for the US government through another subsidiary, Packet Forensics.
It is therefore quite worrying that apps loaded with such spy tools have made their way onto the Play Store.
How to Protect Against Android Malware
Should we be worried? The good news is that Google finds and removes apps loaded with malware or spyware very quickly. And security researchers are dedicated to tracking down these apps. But at the same time it is worth being careful.
First of all, always make sure that you only install apps from trusted and verified publishers. If an unknown developer suddenly offers, say, a game that looks like Call of Duty Mobile or a Netflix-like free streaming service, it could be a dubious developer trying to trick you into downloading an app that contains a malicious software or that will bombard you with advertisements; these were pretty common in early Android.
We also suggest that you avoid apps and services that need to be downloaded unless you are absolutely sure that they come from 100% legitimate sources.
If an app catches your eye, do a sense check by seeing what else is out there from the same publisher. And be sure to check app reviews, star ratings, and the number of times an app has been downloaded, as they offer a reasonable idea of the legitimacy of apps. Apps with tens of thousands of downloads, like Instagram, along with strong reviews would suggest an app is safe and legit.
Also, avoid apps that ask you for a seemingly inordinate amount of information, especially ones that want you to get rid of payment details. Many good and legitimate apps will tend to integrate Google Pay.
Android still has strong built-in security features, but for additional protection, check out our picks for the best Android antivirus apps. These antivirus tools can scan your phone and detect and mitigate threats.
If you come across questionable apps, be sure to alert Google to their presence. And feel free to report any suspicious apps you spot to Tom’s Guide and we’ll investigate them.
Read next: Google’s Family Link parental controls app just got a big update – here’s what you need to know