Security vendor Avast warned on Feb. 3 that it had found three popular apps in the Google Play Android apps store that were infecting users with adware.
A Google spokesperson confirmed to eWEEK Feb. 4 that all of the malicious apps identified in the Avast report had been suspended from Google Play.
“The apps analyzed by Avast were adware that led to some shady sites and offers,” Avast malware analyst Nikolaos Chrysaidos, told eWEEK.
The fact that potentially malicious apps made it into the Google Play store means that the apps were able to get past Google’s own security screening process. Adware does fall into somewhat of a gray zone, which is why the apps may have slipped through, Chrysaidos said.
The Google spokesperson explained that Google scans apps as they are uploaded to Google Play, running each app to detect and remove malware, spyware and Trojans from Google Play.
“As we discover new pieces of malware, our systems are able to go back through all of Google Play and remove any suspicious files from the store,” the Google spokesperson explained to eWEEK. “From here, we can disable developer apps and accounts if they violate our terms and content policies.”
Overall, the spokesperson noted that Google’s goal is to provide people with an extra layer of protection while still maintaining Android’s openness and developers’ workflow. The spokesperson added that Google’s techniques for protecting Google Play users continue to improve and are reflected in the low number of users who install potential malware from the Google Play Store.
The newly removed apps all had some form of adware in them that could have been potentially malicious.
Many applications in the Google Play Store use advertisements to generate income for developers, explained Ryan Olson, Intelligence Director in Unit 42 at Palo Alto Networks. “The vast majority of these are not malicious, but occasionally an app abuses the system,” Olson told eWEEK. “In this case, the ads were being displayed outside the application and anytime the user unlocked their device, which was especially annoying to users.”
Though Google is scanning for potential risks, there are multiple challenges in properly identifying all potential situations.
Google has been doing a better job of scanning for malicious apps, but in all reality, it can be difficult to prove that malicious code even exists in an app at all, Greg Kazmierczak, CTO of Wave Systems explained.
Kevin Epstein, vice president of information security and governance at Proofpoint, noted that even legitimate software may result in unrecognized data leakage when it broadcasts location, name, or other personally identifiable information, which is why many organizations employ secondary layers of defense, such as secure email filtering gateways and data loss prevention filters.
Without a good scanning system, the Google Play Store would be over-run with malware very quickly, Palo Alto Network’s Olson said. “Google’s bouncer is keeping out most of the bad apps, but occasionally, something malicious makes its way through,” Olson said. “Normally, the ones that make it through aren’t obviously malicious, but take some suspicious actions that may be easier for a user to identify than a machine.”
Best Practices
For users, it is important to make sure that Android devices are fully patched and up-to-date, and to only get apps from the official Google Play store. Ian Trump, security lead for LogicNow, said that there are also other steps that users and enterprises should take to secure their mobile devices. In particular, Trump said mobile device management (MDM) platforms play a key role in providing mobile security.
“IT departments know that the potential exists for a malicious Android or other smart phone app to be the Trojan device that could turn into a full scale data breach,” Trump told eWEEK. “IT departments need the tools to secure mobile devices and BYOD, just as they would secure a desktop or laptop’s corporate information.”
Palo Alto’s Olson said Android users should also consider the permissions that apps are requesting before they install them.
“Android’s security model makes it possible for a user to review the permissions of each application during installation, and savvy users should think about why the application needs the permissions it requested,” Olson said. “In this case, the rogue adware applications required the SYSTEM_ALERT_WINDOW permission, which is uncommon and normally used by system applications.”
Olson added that the name of the permission (SYSTEM_ALERT_WINDOW) might not make it clear to the user, but it should definitely be a red flag for anyone installing a new application.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.