In a little under two weeks from now, Google’s Play Store will change forever. The promise is that a huge number of apps will be culled from the store as Google introduces tough new quality controls. More importantly, the deletion of those apps should also rid Play Store of the majority of malicious threats hidden within.
It’s somewhat timely then, that just before that Play Store clean-out Google is suddenly defending a reported lawsuit over just one such malicious app. The plaintiff claims she downloaded a crypto app from Play Store, which then defrauded her of a significant amount of cryptocurrency before its own disappearing act. The strength of Google’s defense, experts say, will depend on how long the dodgy crypto app was allowed to remain on Play Store after it was first flagged as a potential issue.
A report into Android security, released this week by Switzerland’s EPFL, warns of “31 critical security flaws in the Android system” and advises users to “download apps only through trusted app stores,” meaning Play Store, and to ensure their devices remain eligible for security updates. The problem, though, is that Play Store is not the safe harbor that advice might suggest, and the report comes in a month when Google and other Android device OEMs are rushing out fixes for the latest Android zero-day.
Google has spent years cleaning up Play Store, and yet the volume of malicious apps evading those defenses has not yet abated. These apps are not developed one by one in a back bedroom, they are developed on an industrial scale, countless apps built on the same core malware foundations, applying new technique after new technique to evade detection and censure. It’s a seemingly limitless game of cat and mouse.
While other Android bad apps steal credentials to empty bank accounts, that’s very different to putting your money or crypto into the bad app itself. It’s not that long ago that Google filed its own suit against a part of cryptocriminals who, as reported by Reuters, allegedly “misused Google Play store to scam thousands of users out of their money through dozens of fake cryptocurrency investment applications… leading to up to tens of thousands of dollars in losses per victim.”
I have approached Google for any comments on the latest lawsuit.
The alleged scam behind the new lawsuit, filed in California, predates Google’s action, and it’s not known if there are any links, but it’s clear that cryptoscams proliferate as much on Play Store as anywhere else. Android is just one field of play where bad actors can meet victims. Earlier this month, the FBI warned that bad actors were cold calling, “impersonating cryptocurrency exchange employees to steal funds,”as simple a scam as you can find these days, and yet even that found its mark.
Right now there will be countless cryptoscams on Play Store of one sort or another, whether directly through the app as per this month’s lawsuit, or as part of a web to snare victims even if the attack itself comes from outside Play’s ecosystem. Google and its security partners will eventually find these threats and delete them, and then they will return with new names and fascias or others will take their place.
But Google’s next two Play Store security initiatives might be its most powerful yet. The first is that mass app deletion, and the second is the live threat detection due with Android 15, that should enable an app to be flagged as dangerous on a device before more measured, central action is undertaken.
What Google is not doing is shoring up its bug bounty program—at least not for the most popular apps on Play Store. The Google Play Security Reward Program is being wound down after seven years. As reported by Neowin, “Google cites ‘overall increase in the Android OS security posture and ‘feature hardening efforts’ as the reason behind winding down its bug bounty program.” Let’s hope so.
Meanwhile, your base assumption should be that crypto or other financial apps from arbitrary developers without the verifiable backing of a mainstream institution are not to be trusted. Assume they’re scams unless proven otherwise, not the other way round. And that’s especially true of financial apps from other parts of the world.
The doubling of hacking related crypto thefts in the first half of the year might have been driven by rising prices and “a small number of large attacks,” as Reuters explains, but a large number of smaller scams also inflated that number.
As the old adage goes, if it looks too good to be true…