Android Warning: Thousands Of Dangerous Copycat Apps On Google Play, Study Finds
Familiarity breeding contempt hits home in the results of a new study into the security threat from apps on Google Play. The research, conducted by the University of Sydney and CSIRO’s Data61, has unearthed thousands of dangerous apps hiding in plain sight in the online store, tricking users by mimicking popular alternatives. The study used artificial intelligence to identify likely counterfeits, before testing them for malware and other vulnerabilities.
The study deployed a neural network to examine both the design of icons and the wording in descriptions, reviewing “1.2 million apps” to identify “potential counterfeits for the top 10,000 apps.” It found “2,040 potential counterfeits that contain malware in a set of 49,608 apps that showed high similarity to one of the top 10,000 popular apps in the Google Play Store.” The research also found “1,565 potential counterfeits asking for at least five additional dangerous permissions than the original app and 1,407 potential counterfeits having at least five extra third-party advertisement libraries.”
The use of pre-trained AI algorithms to evaluate style and content “outperforms many baseline image retrieval methods for the task of detecting visually similar app icons,” and on the large dataset of more than1.2 million app icons, the study’s methods achieve “8%-12% higher precision” than alternatives.
“Many counterfeits can be identified once installed,” the authors explain, “however even a tech-savvy user may struggle to detect them before installation,” thus the idea to try the “novel approach of combining content embeddings and style embeddings generated from pre-trained convolutional neural networks to detect counterfeit apps.”
The study found that the 2,040 most dangerous counterfeits “were marked by at least five commercial antivirus tools as malware,” although, encouragingly, 6-10 months since we discovered the apps, 27%-46% of the potential counterfeits we identified are not available in Google Play Store, potentially removed due to customer complaints.”
YOU MAY ALSO LIKE
None of this should come as a surprise-the insecurity of apps on both Android and iOS has been very much in the headlines recently.
Last year, Buzzfeed News reported that “eight apps with a total of more than 2 billion downloads in the Google Play store have been exploiting user permissions as part of an ad fraud scheme that could have stolen millions of dollars.” All eight apps were Chinese in origin, with seven from a single developer, Cheetah Mobile. “The companies claim more than 700 million active users per month for their mobile apps.”
And this month alone, Davey Winder reported for Forbes on the threat from mobile applications, leaving “iPhone and iPad users not as secure as they might imagine, [with] their personal data at risk.” ZDNet has reported that “three-quarters of mobile applications have vulnerabilities relating to insecure data storage, leaving both Android and Apple iOS users open to cyber attacks.” And TechCrunch has reported on vulnerabilities even in U.S. mobile banking apps.
Smartphone users cannot claim that they’re not being warned.
Both Google and Apple continue to fight the good fight to keep their ecosystems secure, and on Android Google Play Protect has been designed to guard against just such vulnerabilities. Google has also said that “in 2018, we introduced a series of new policies to protect users from new abuse trends, detected and removed malicious developers faster, and stopped more malicious apps from entering the Google Play Store than ever before. The number of rejected app submissions increased by more than 55%, and we increased app suspensions by more than 66%.”
The use of AI to moderate content and promote internet safety has been catapulted into the news by social media’s woes in the last 12 months. Projects like Google’s Jigsaw are a sign of things to come. This study is a start on applying the same thinking to a different realm, but one that struggles with the same issues of scale and user naivety.
Ultimately, there’s no substitute for common sense and treating apps from unknown sources as potential threats. And that means checking carefully, not clicking casually. We carry all of the most valuable and private information we have on our smartphones, and we gladly give those devices access to the cloud storage where we store the rest. Our phones know where we live and work, and where we bank and spend. That’s worth remembering before inviting strangers into our virtual homes and giving them permission to roam around simply because they ask nicely.