If you want to steer clear of malware on Android, just stick to Google Play. I am sure you have heard this line before. And it makes sense, if you think about it, as Google subjects apps to security checks prior to approving them. So, it makes sense to hand out that piece of advice whenever new Android malware is discovered in the wild. But what if the malicious bits are found in Google Play itself? A change of tune is in order.
Security firm Avast details (opens in new tab) how three popular, seemingly harmless Android apps -- but, riddled with adware -- have been tricking users into visiting unwanted sites, installing other apps, to fix different non-existent issues, like fake malware infections, porn-filled storage (though, I have to say, it is far from an unlikely scenario, in some cases) and so on.
Of course, following Avast's report, Google has pulled those three titles from Play. But, that doesn't mean that these titles have stopped affecting users -- and there are plenty of them!
The most popular app of the bunch is a card game called Durak, which had between five and 10 million installs since December (opens in new tab). The other two are an IQ test and Russian history app. Here's a more detailed explanation of how they work.
Avast says that the adware doesn't surface immediately after the apps are installed. Their developers have designed them so that users cannot tell which app is the culprit, making the origin harder to isolate, as the first signs only appear after a couple of days -- Avast adds that these apps may "wait up to 30 days until they show their true colors". Clever, isn't it?
When the adware surfaces, users are redirected to fishy sites, advised to install risky apps -- like apps that collect lots of personal information or send premium SMS messages without them knowing -- and even legitimate security tools from Google Play!
Avast says that "Even if you install the security apps, the undesirable ads popping up on your phone don‘t stop", noting that "most people will trust that there is a problem that can be solved with one of the apps advertised 'solutions' and will follow the recommended steps, which may lead to an investment into unwanted apps from untrusted sources". That's certainly possible, given that people don't consider Google Play a safe haven for malicious apps.
Every once in a while I see similar messages on some sites I visit (not malware-ridden, mind you -- the messages surface from prominent ad banners, making the message appear more credible given a site's reputation), but, knowing why they are displayed, I ignore them.
Also, it is possible to get redirects to sites that look just like an app's Google Play landing page -- don't make the mistake of falling into the trap of downloading it; to stay safe, don't enable sideloading (also known as "Unknown sources" in Android settings) unless you need to do so.
But, back to the three apps in question, what I find most worrying is that Google has been totally and utterly useless at spotting those adware-riddled apps for months. And they could have gone unnoticed for longer, if not for Avast bothering to check a report from one of its users.
Obviously, things can be improved by employing more stringent rules, using more capable tools for checking apps, or hiring actual people that check every single app thoroughly (right now, the process of approving an app is automated) before giving the green light. Google can do better, and it has to if it wants its customers to truly feel safe using its app store.