Google Admits Play Store Security Loophole

Google says malware creators are using a simple workaround to bypass security on the official Play Store for Android apps. The problem is that the simplest fix would undermine one of the key differences between Android and closed systems such as Apple.

In theory, all apps in the Play Store are vetted for security, including malware checks. That's one of the reasons Google recommends only using the Play Store, while still giving users the choice to get and install Android software from other sources.

The problem is that scammers are using an extremely simply workaround called "versioning". That takes advantage of dynamic code loading, in which an app doesn't rely solely on the code that's permanently part of the app file itself. (Source: techspot.com)

Instead, it retrieves code "on the fly" from a remote server. In principle that can be useful as it reduces the size of the app file and thus the space it permanently takes up on a device.

Clean Apps Turn Dirty

The problem is that the scammers are creating clean versions of their apps that can pass the Google Play security checks. Once installed and running, the app then loads malware from a remote server and begins its malicious activity. (Source: google.com)

Google doesn't physically stop apps from doing this, though using dynamic code loading to alter the app is a violation of the Play Store terms and conditions. It will remove such apps from the store, but that doesn't remove them from devices where they are already installed.

The big problem is that two of the main ways to mitigate this risk would involve changing the balance between security and user freedom that's at the heart of an "open" system such as Android, particularly in comparison to Apple's heavily-controlled iOS.

One change would be to exercise much more control over how apps work and their code, putting in more technical barriers that prevent dynamic code loading being abused.

Removing Apps Would Be Controversial

Another would be for Google to create and use the ability to remotely disable or remove Play Store apps from Android devices. That would boost security, though many users might be uneasy about Google having the power to uninstall apps.

One compromise might be for Google to use device notifications to warn users when an app on their phone has been removed from Google Play for security reasons. The notification could recommend uninstalling the app but leave the choice up to the user.

What's Your Opinion?

Does Google have the right balance between security and openness? Would you be happy for it to remotely uninstall apps it believes were now a security risk? Would a prominent warning be a better solution?