Beware of the hidden dangers of the Google Play Store
In just under two weeks, Google’s Play Store will change forever. A large number of apps are expected to be removed from the store as Google introduces strict new quality controls. More importantly, however, the removal of these apps should also rid the Play Store of most of the malicious threats hiding within it.
So it’s quite timely that just before the Play Store was cleaned up, Google suddenly defended a lawsuit over a single one of these malicious apps. The plaintiff claims she downloaded a crypto app from the Play Store, which then scammed her out of a significant amount of cryptocurrency before disappearing itself. The strength of Google’s defense, experts say, will depend on how long the shady crypto app was allowed to stay on the Play Store after it was first flagged as a potential problem.
An Android security report released this week by Switzerland’s EPFL warns of “31 critical vulnerabilities in the Android system” and advises users to “download apps only from trusted app stores,” namely the Play Store, and ensure their devices remain eligible for security updates. The problem is, however, that the Play Store is not the safe haven that the advice might suggest, and the report comes in a month when Google and other Android device OEMs are rushing to release fixes for the latest Android zero-day vulnerability.
Google has spent years cleaning up the Play Store, and yet the number of malicious apps that bypass these defenses has not decreased. These apps are not developed one at a time in a back room, but on an industrial scale. Countless apps are built on the same basic malware fundamentals, applying one new technique after another to evade detection and censorship. It’s a seemingly limitless game of cat and mouse.
While other malicious Android apps steal credentials to drain bank accounts, that is quite different from putting your money or cryptocurrency into the malicious app itself. It was not long ago that Google itself filed suit against a portion of the crypto criminals who, as reported, Reutersis said to have “abused the Google Play Store to defraud thousands of users of their money using dozens of fake cryptocurrency investment apps… resulting in losses of up to tens of thousands of dollars per victim.”
I asked Google for comment on the recent lawsuit.
The alleged scam behind the new lawsuit filed in California predates Google’s lawsuit, and it’s not known if there are any connections, but it’s clear that crypto scams are just as common on the Play Store as they are anywhere else. Android is just one field where scammers can meet victims. Earlier this month, the FBI warned that scammers are cold calling and “posing as cryptocurrency exchange employees to steal funds,” about as simple a scam as you’ll find these days, and yet even that scam has failed to work.
There are currently countless crypto scams of one kind or another on the Play Store, either directly through the app, as in this month’s lawsuit, or as part of a web to trap victims, even if the attack itself comes from outside the Play ecosystem. Google and its security partners will eventually find and delete these threats, and then they will return under new names and facades, or others will take their place.
But Google’s next two security initiatives on the Play Store could be its most powerful yet. The first is mass app deletion, and the second is live threat detection, which will be introduced with Android 15. It is designed to allow an app on a device to be flagged as dangerous before more targeted, centralized action is taken.
In the meantime, you should generally assume that crypto or other financial apps from random developers without verifiable backing from an established institution are not to be trusted. Assume it is a scam unless proven otherwise, not the other way around. And this is especially true for financial apps from other parts of the world.
The doubling of crypto theft hacks in the first half of the year could be due to rising prices and “a small number of large attacks,” as Reuters but a large number of smaller frauds have also pushed this number up.
As the old saying goes: If it sounds too good to be true…
