It seems that with every year, the number of malicious or misleading apps on the Play Store increases. Google is often quick to take action and remove them, but they're still a long way from providing a quality defense against malware. In this article, we’ll try to define some basic principles that should help avoid malware-ridden applications.
The Play Store has become an ugly place. It was once a great resource. Does your phone need a new feature? Okay, just go to the Play Store, try out some apps and you’ll be able to solve your problem. Nowadays, it’s not so easy. Scammers can falsify positive ratings, buy a high ranking, and sometimes outright plagiarize other apps.
Google for the most part still relies on purely automated forms of quality assurance. Algorithms analyze new apps and updates of known code fragments or behavioral patterns, much like an anti-virus on Windows computers. If an automatic alarm is signaled, the app will likely be sent back to the developer.
The system ensures that 99 percent of all malicious apps don’t reach users via the Play Store, or that’s at least what Google stated in an old blog post. The algorithms have become a bit smarter thanks to machine learning. At this point, they are able to detect fake identities, inappropriate content, and new types of malware.
Creators of malware are better organized
In 2017 examples such as SonicSpy demonstrated that malware creators and networks are literally bombarding the Play Store. Google now recognizes “repeat offenders and abusive developer networks" and has already banned 100,000, which has made it more complicated to create a new developer account. However, there are still cases where they manage to slip through. In 2018, half a million users downloaded malware posing as driving games. more cases have been found in 2019 too.
But how do I recognize bad apps?
Flashlight apps are obsolete
Certain apps and games are particularly vulnerable to abuse. Flashlight apps, in particular, have benefited from users’ careless habits. Usually, users are informed of the app’s permissions before installation, although since 2015 they are sometimes only informed once they've started using it. A while ago there were a large number of flashlight apps that also wanted to be able to send an SMS. Enough users accepted this obviously fraudulent permission and got caught in a trap. The flashlight app could then send premium SMS messages and earn money for the app developers.
At the same time, most flashlight apps actually only need camera permission. This makes sense because the LED connected to the camera is controlled via the camera permission. However, not all users know that a flashlight app has already been given to them. It’s probably already in your smartphone’s Quick Settings. Just pull your finger down from the top of the screen and look for the small flashlight silhouette.
If you install a flashlight app anyway, it will probably interrupt its actual function with several commercial breaks. Advertising in apps is tolerable to a certain extent, but the added value that the app provides must be commensurate with the number of advertising interruptions. With such a superfluous app, there is no reason to tolerate advertising.
Booster and cleaner apps are inherently useless
If your memory is full, your phone is slow or the Wi-Fi isn’t good enough, there are well-established solutions to your problems. The Play Store won’t provide any answers. We have an article on each of these topics, as they’re among the most common problems with smartphones. Other media have also written very good reports on this.
App creators, however, have found successful ways to profit by creating completely useless and sometimes harmful apps in the Play Store.
Optimization apps are making a profit out of your desperation. Whatever they say works must be able to help your battery. Cheetah Mobile was able to record several hundred million downloads doing this, and the boss of the company has twice stated outright that the app is no good.
- We interviewed Cheetah Mobile to ask if Clean Master actually works
- Here are 5 apps you should remove right now
The reason is that apps can't work miracles. Android has a so-called sandboxing principle. Each app works in its own capsule and must not interfere with the system in any way that could prolong battery life. In this respect, we have already been provided the optimizations by Android and the smartphone manufacturer.
However, poor performance is often due to the fact that an app consumes a lot of energy. If this is the case, you should identify the app and just uninstall it. You can probably find a more economical alternative to it, which leads us to the next problem...
Copies and counterfeits pretend to be alternatives
While looking for popular games like Solitaire, Tetris, or Bubble Poppers I recently noticed it again: it is practically impossible to search for apps with the Play Store's search tools, because:
- You can’t hide apps with advertisements or in-app purchases.
- The average score is worthless because it can be generated by click farms.
- It is rarely explained why the app requires certain permissions.
- You never know whether in-app purchases are a one-time thing or recurring as well as what they'll provide you.
And even worse, the apps rarely offer what you expect. Most Bubble Poppers end up being just a loot box system with pointless in-app purchases.
Most games are good for the first few minutes. With some luck, they’ll be easy to play for a few hours. And then suddenly they’re asking for cash. If they stuck with a one-time in-app purchase that would unlock all the remaining levels like in Super Mario Run and then never asked for money again, everything would be fine. Yet, a lot of games drive you into virtual bankruptcy, which could cost you a lot of money in real life.
Check what apps are allowed to do
Since fakes are becoming smarter and better at posing as regular apps, it's a good idea to check exactly what they are allowed to do. You don't need to be tech-savvy or an Android expert to do so. If you want to make sure that the game your child just downloaded on your phone, for example, is not malicious, go to your phone's Settings menu. From there open Apps and find the app in question.
You will be able to check how much mobile data, storage, and RAM the app is using, as well as what permissions it has. Tapping on Mobile data will also reveal if the application is allowed to use data in the background. If an offline game, for example, has used background data, that's a good indication that something shady might be going on (unless you have mobile data updates). It's not a foolproof method of catching malware by any means, but it's never a bad idea to be informed about what apps are allowed to do on your device.
What makes a good app?
A reasonable app will explain to you at the beginning if you have to pay for anything. Google has placed small references to ‘In-app purchases’ right next to the download button. In the app descriptions below, you can see an app’s price range.
There are issues with both permissions as well as advertising. The developer should ideally justify the necessary permissions in the description of the app (like in Threema, for example). They have to be explained in accordance with the app’s functions. A flashlight shouldn’t need to send SMS messages and a Bubble Popper shouldn’t need access to your camera or microphone, let alone your contact list.
Google should more precisely identify ads: are they just small banners on the edge or are they full-screen ads? Are there videos or just static content? In the worst case, the advertisements steal the screen for several seconds or cause you to accidentally press on them and waste precious data. Does the app actively encourage you to press on ads to get bonuses? Don’t let them exploit you!
Conclusion: app research is about having the right information
The list of things to consider hasn’t become any shorter in recent years. App creators with deviant motives to make profits are becoming smarter at the same rate as Google’s anti-malware team. So the user still has to be incredibly careful with banal things like finding the right Solitaire app for Android until things improve.
What's your story? Have you ever fallen into a bad advertising trap? What do you pay attention to when searching for new apps? Or have you given up completely and only install apps that you already know?