Time and again, Google has removed Android apps from its Play Store that were found to be spyware. Unfortunately, millions of users may have downloaded these tools by that time. Can you trust app stores?
When downloading applications from Google Play, neither the promised security features are guaranteed to work reliably, nor can you be sure that apps do not contain spyware:
- In February 2017, the Fraunhofer Institute for Secure Information Technology SIT found serious gaps in the password tools for Android. Many of the popular password managers make it easy for cybercriminals to access the protected information, e.g. if the attacker is on the same network. The security apps showed significant weaknesses.
- In August 2017, the IT security firm Trend Micro reported having found 340 Android apps in the Google Play Store that they would rate as malware. Unfortunately this is no exception.
New checks in the app stores
Users and developers of apps have a range of options for checking the security of apps. This has also been pointed out by the supervisory authorities for data protection (guideline on data protection requirements for app developers and app vendors).
- For one, security apps offer functions that check other apps for problems with data protection and security. However, this only works when a user downloads an app, or after downloading.
- Online scanners are different: They are provided with a link to the app in the app store. The scanners then test the apps before installation. Trend Micro MARS is an example.
- In addition, test labs and IT service providers offer to perform app checks on behalf of user businesses.
Google Play Protect
As the operator of an app store, Google also has introduced new checks: Google Play Protect is intended to perform security scans for Android apps that a user wants to download.
The new function is intended to warn of risks caused by installing an app.
Time will tell how high the success rate of Google Play Protect will be. At any rate, users and companies should not neglect to perform their own checks.
Google Play Protect is not sufficient
Mobile device management solutions (MDM) may help here by providing a company-specific enterprise app store. It contains only those apps that the company has vetted and approved. By themselves, the measures of app store operators like Google are (not yet) sufficient.
Background: Apps as a target and means of attack
Why is it so important that apps have tight security? An important reason: Mobile banking is becoming the standard. One in two people are using their tablet for online banking, four in ten are using their smartphone. In more than half the cases, people have installed a specific app, according to a survey by the German IT industry association Bitkom.
The increasing importance of apps in sensitive areas like online banking makes mobile applications on smartphones and tablets a key target of cybercriminals.
However, such applications offer even more uses to data thieves: Cybercriminals are using apps as tools for attacking. According to a report by the IT security firm G Data, there were 333 new Android malware apps per hour in the first two quarters of 2017, or around 8,000 contaminated Android apps per day.
The security experts and G Data counted a total of 1.5 million Android malware files in the first two quarters of 2017.
Despite these numbers, only 37 percent of companies consider the security of mobile end devices a particularly important field of activity for IT security. This was found in the IDC study „Next Gen Endpoint Security in Germany 2017“.
Security on the app store cannot be taken for granted
As early as 2011, the EU IT security authority ENISA pointed out the importance of security in app stores:
„Malware apps give attackers access to the immense trove of confidential data that can be found on a smartphone, such as business e-mails, location, phone calls, text messages, etc. Customers are rarely aware of this.“
The defences for app stores named by ENISA at the time primarily consisted of checks performed by app store operators before offering the apps for download by users.
Six years down the road, we can attest that while there has been some improvement with regard to the vetting of apps, the existing efforts are still inadequate.
Oliver Schonschek is a physicist, analyst, and technical IT journalist for IT security and data protection.