Industry News

Bad news Android malware – Google Play apps and updates must now pass human review

In a major change in the way that it handles app submissions from developers, Google says it’s going to do more to prevent malicious and dodgy Android apps from entering the official Google Play store.

Up until now, Google has been criticised for being lackadaisical in its approach to what apps can be listed in the official Android marketplace, causing some observers to describe the Google Play store as an unpoliced mess polluted with thousands of fake and sometimes malicious apps, that demand access to unnecessary permissions, mess with browser settings, steal information, or pop up irritating adverts.

Remember the Android game in the Google Play store which secretly stole private WhatsApp chats and offered them for sale?

Or how about the bogus anti-virus products that have made it into the Google Play store?

Or were you one of the 100,000 people who downloaded a fake BlackBerry BBM Android app from the Google Play store?

Clearly bruised by the criticism, particularly in comparison to Apple’s tightly-controlled iOS App Store, Google revealed yesterday that its approach had changed “several months ago” with the intention of better protecting Android users:

Several months ago, we began reviewing apps before they are published on Google Play to better protect the community and improve the app catalog. This new process involves a team of experts who are responsible for identifying violations of our developer policies earlier in the app lifecycle. We value the rapid innovation and iteration that is unique to Google Play, and will continue to help developers get their products to market within a matter of hours after submission, rather than days or weeks. In fact, there has been no noticeable change for developers during the rollout.

Of course, Google has tried to better police its app store in the past with technologies like Bouncer, an automated security system that was supposed to analyse and reject malicious Android apps before they were published on Google Play.

The quality of Bouncer has often been in question, because of the continued success malware authors and scammers have had in managing to sneak their toxic apps into the marketplace, and flaws found by security researchers which revealed how it was possible to bypass checking entirely.

Let’s hope that Google’s new approach of using human experts to examine apps submitted to the Google Play store will be more successful at protecting its many millions of users in future. It’s probably too early to say that this will be the end of malicious content being published in the official Android marketplace, but it sounds like a step in the right direction.

Google also says it is going to be more upfront in explaining to developers why their app has been rejected by the Google Play store, making it easier for genuine developers who have made a minor transgression of the rules to resubmit their apps for another attempt rather than live in fear of perpetual banishment.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

  • So… are they going to also go through the entire archive that exists prior to this new policy ? Still, encouraging that they’re admitting – albeit perhaps indirectly – their system failed. I wish they’d admit this to some of their other (far too many) failures but can’t have it all, as someone reminded me years ago (and since we’re dealing with Google, that they admit to this is rather significant, I suppose) One hopes this will improve this particular problem, in any case.

  • I would also like to see an approval mechanism in place for the ad networks that provide advertising to ad-supported apps. Here, this would involve requirements that the networks have improved scrutiny over the ad campaigns that come through, especially to keep malware and scammers off the networks.