Report: Many Apps on Google Store are Fake, Scams

John Lister's picture

A report suggests that thousands of apps on the Google Play store are in fact counterfeits made to look like the legitimate app, but instead pose a major security risk to users. The study says such apps ask for dangerous levels of access to the phone or are packed with advertising.

The study is a joint effort of the University of Sydney and Australia's national science research agency CSIRO. It took two years to carry out and involved trawling through 1.2 million apps to look for potential counterfeits.

Rather than have humans check each app uploaded to Google Play (which would be entirely impractical), researchers used artificial intelligence to look for signs of fakery including visually similar icons in the app, as well as copied or plagiarized app descriptions. The researchers then download and analyzed the apps, then used malware scanners to scan them.

Nearly 50,000 Fake Apps Found

The artificial intelligence highlighted 49,608 apps which mimicked one of the 10,000 most popular apps in the Google Play store. Of these, 2,040 contained some form of malware. (Source: acm.org)

Meanwhile, 1,565 of the apparent counterfeit apps asked for at least five permissions that were not asked for by the genuine version of the app. For example, a legitimate game app likely won't need any special permissions to the device at all, but a counterfeit version of the same game app may ask for access to the users' email contacts, which would then in turn be used by spammers.

The big risk here is that most users don't review the permissions but instead agree to all permissions requested in order to run the app. This is of course assuming the app is genuine and from the legitimate source; therefore, there would be no reason to assume any of the permissions would be irrelevant and risky.

Bogus Apps Riddled With Ads

The researchers also counted 1,407 apparent counterfeit apps that used at least five more third-party advertisement libraries than the legitimate original apps.

While legitimate apps often include ads, they will usually keep it to a "reasonable" level, rather than risk a poor user experience that harms the app's reputation and rankings. The counterfeiters don't always worry about that.

While it's bad news that the counterfeit apps got into the Play Store in the first place, Google does appear to be having some success weeding them out. Six months after finishing the original analysis and downloads, the researchers checked Google Play again and found that around a third of the counterfeit apps they had identified were no longer available. (Source: thenextweb.com)

What's Your Opinion?

Are you surprised so many counterfeit apps got into the Google store? How do you check that an app is genuine before installing it? Do you always check permission requests and does it make any difference if you think the app comes from a reputable developer?

Rate this article: 
Average: 5 (8 votes)

Comments

W7OV's picture

Yes, I was surprised at the number of bad apps. It would be good to get a link to the actual bad apps.

I did follow through the various links referenced above and ended up at https://support.google.com/googleplay/answer/2812853?hl=en that tells how to enable Play Protect in the Play Store. (It is enabled by default.) Play Protect says my system is OK, but....

I do check the permission requests and deny any that seem out of place. I never give apps permission to access to my contacts list.

John Lister's picture

Unfortunately the researchers don't appear to have published the list of the rogue apps.

Play Protect is definitely helpful, but does have some limitations. Apps with malware are often set to deploy it on a delay, so it won't be detected during an initial scan, while others encrypt the code so it isn't picked up by the scan. The good news is Google is working more and more with third party security firms to share information and try to plug some of those gaps.

jcgrande's picture

Google needs to have a vetting process to clear apps that are going into the Play Store. Google’s reputation is on the line and the security of their customers as well. The average app user trusts that Google is a responsible vendor and don’t think of checking the validity of the apps bought from the Play Store. Google needs to be more like Apple in their handling of Apps

FreedomisnotCONTROL's picture

These people/companies find these bad/malicious apps but don't tell anyone which apps these are. Wouldn't it make sense to make a list and let the people know so we can get them off our phones. Isn't that the purpose of finding them in the first place. Google may fix the play store and get rid of these bad apps but they don't do anything for the consumer like warning us or removing them from our phones.