Google Play to Use Third Party Security to Scan Apps

John Lister's picture

Google is to use outside help to scan apps before they go into the Google Play store. It says the move is needed to cope with the continuing increase in the number of rogue Android apps. Just two weeks ago, 21 Android apps were reported to be rogue; in early September, 24 apps were found to be rogue.

The new "App Defense Alliance" involves Google working with three security companies, namely: ESET, Lookout and Zimperium. They all specialize in mobile security with a particular emphasis not just on spotting individual rogue apps, but on figuring out common characteristics and clues that make it easier to detect other malware. (Source: google.com)

The partnership involves integrating Google's own malware scanner, Google Play Protect, with those of the aforementioned security companies. This will also allow direct, secure communication between the companies. (Source: bbc.co.uk)

Collaboration Helps Both Sides

In effect it's a trade of intelligence.

Google already vets apps before the go in the Play Store, but will now have the option to run them through one or more of the security company systems before they go public. That could be a significant change, as currently such security companies can only spot problems in apps after they've been installed and used. The idea here is to spot the rogue apps before any installation is made, sort of like how antivirus on a Windows PC is supposed to work.

In return, the security companies can use Google Play Protect as an extra check, particularly when apps are downloaded outside of the Google Play store.

It's a smart move for Google as it responds to the increasing number of cases where apps are turning out to contain malware. This also undermines Google's primary security argument which is that users should only ever trust apps they got from Google Play.

Malware Creators Cunning

Cybersecurity experts will be interested to see if the third-party checks are able to beat malware creators who've found a way to effectively smuggle malware past the Google checks.

One recent study suggested there are approximately 50,000 fake apps on Google Play posing as legit apps, but riddled with ads.

Other tactics include encrypting code so that it can't be read by malware scanners. Another trick is delaying the point that the malware activates so that it won't be picked up by a scan. Some malware even poses as Google files to take advantage of "whitelisting" features that skip checks on files that are assumed to be safe.

What's Your Opinion?

Should Google have made this move earlier? Are there any potential drawbacks? How much trust do you put in Google Play Store to vet apps before release?

Rate this article: 
Average: 4.4 (5 votes)

Comments

russoule's picture

I think when a developer is discovered to have placed malware in his/her/its package, that developer needs a substantial government punishment. Those of us who actually USE the internet spend way too much valuable time preventing the bad guys from whatever dirty-deed they have in mind. If some of these nasties were put into prison for 20 or 30 years, then at least those particular rats would not be able to foul-up our systems.

Dennis Faas's picture

I agree with your sentiments, however, the problem is that the malware is created by large criminal organizations (sometimes state-sponsored), and located half way around the world in India, China, and Russia, for example.

The issue here is not only locating these idiots in the first place, but also successfully being able to prosecute these criminals using joint police / government efforts.

The malware on your phone, tablet, or computer won't ever go away for the same reason you get those non-stop robocalls from the "IRS" (usually in a robot generated voice) stating that you are going to jail unless you pay a hefty fine by wiring money tens of thousands of dollars to a bank in Thailand. Scam!

It's also the same reason the Indian tech support scammers that I've reported on multiple times will never, ever stop scamming people. All these scams are run but smart criminals and protected by the local police to look the other way because they're paid off. This is literally a billion dollar industry.

matt_2058's picture

Agree that consequences are needed for the scamming/malware app developers.

Next step should be a functional check for every app and update.