Google didn’t comment on this story. However, it’s latest Android security report, published this week, does say: "no review process is perfect."
Each month, the Play store will add 40,000 or more apps, according to AppBrain. Managing that business while keeping the software malware-free is no easy task. Automated testing is the best bet to scan all those apps in a time-efficient way.
Nevertheless, the security of Android has often been compared to Apple’s iOS, and the result hasn’t always been favorable. Unlike iOS, which is under the control of Apple, the Android operating system is fragmented across numerous handset vendors, some of which struggle to keep the software securely patched.
That’s made Android, and the Google Play store, worthwhile targets for hackers.
"Since most users expect the apps in Google Play to be clean, they’re left vulnerable, making it easy for the malware to infect a massive number of users at once," said Rowland Yu, a researcher with security firm Sophos.
In the past two years, there have been more than two dozen malware strains found slipping into the Google Play store, according to his research. To try and popularize the malware, hackers will make them look like games, utility apps like energy savers, or drum up fake reviews for them.
Fortunately, when Google detects any malware, it will quickly pull the apps from the store, and sometimes ban the developers involved, Yu said. But he doesn’t see an end to this cat and mouse game. Like Padon, Yu points to machine testing.
"Google heavily relies on machines to test and review the safety and security of apps," he said. "Only a small number of suspicious apps are actually handed over for human review."
Google. Install rates for potentially harmful applications and unwanted software on Android devices are higher when users download from third-party app stores, according to Google.
However, even as malware occasionally slips by, Google is making progress at detecting it faster once it's downloaded, in part with a feature in Android devices called "Verify Apps." It will scan the software over a phone to make sure the apps are behaving safely. If they aren't, the security feature can have the offending apps removed.
"Verify Apps conducted 750 million daily checks in 2016," Google’s security researchers said in a blog post. This helped the company reduce malicious app installation last year.
Andrew Blaich, a security researcher at mobile security firm Lookout, said the malware situation on Google Play isn’t the pandemic that can be found on some third-party Android app stores, which often do less vetting.
Sign up for Computerworld eNewsletters.