2 min read

Bad news Android malware - Google Play apps and updates must now pass human review


March 18, 2015

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Bad news Android malware - Google Play apps and updates must now pass human review

In a major change in the way that it handles app submissions from developers, Google says it’s going to do more to prevent malicious and dodgy Android apps from entering the official Google Play store.

Up until now, Google has been criticised for being lackadaisical in its approach to what apps can be listed in the official Android marketplace, causing some observers to describe the Google Play store as an unpoliced mess polluted with thousands of fake and sometimes malicious apps, that demand access to unnecessary permissions, mess with browser settings, steal information, or pop up irritating adverts.

Remember the Android game in the Google Play store which secretly stole private WhatsApp chats and offered them for sale?

Or how about the bogus anti-virus products that have made it into the Google Play store?

Or were you one of the 100,000 people who downloaded a fake BlackBerry BBM Android app from the Google Play store?

Clearly bruised by the criticism, particularly in comparison to Apple’s tightly-controlled iOS App Store, Google revealed yesterday that its approach had changed “several months ago” with the intention of better protecting Android users:

Several months ago, we began reviewing apps before they are published on Google Play to better protect the community and improve the app catalog. This new process involves a team of experts who are responsible for identifying violations of our developer policies earlier in the app lifecycle. We value the rapid innovation and iteration that is unique to Google Play, and will continue to help developers get their products to market within a matter of hours after submission, rather than days or weeks. In fact, there has been no noticeable change for developers during the rollout.

Of course, Google has tried to better police its app store in the past with technologies like Bouncer, an automated security system that was supposed to analyse and reject malicious Android apps before they were published on Google Play.

The quality of Bouncer has often been in question, because of the continued success malware authors and scammers have had in managing to sneak their toxic apps into the marketplace, and flaws found by security researchers which revealed how it was possible to bypass checking entirely.

Let’s hope that Google’s new approach of using human experts to examine apps submitted to the Google Play store will be more successful at protecting its many millions of users in future. It’s probably too early to say that this will be the end of malicious content being published in the official Android marketplace, but it sounds like a step in the right direction.

Google also says it is going to be more upfront in explaining to developers why their app has been rejected by the Google Play store, making it easier for genuine developers who have made a minor transgression of the rules to resubmit their apps for another attempt rather than live in fear of perpetual banishment.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like