In a recent press release, Trend Micro made a fairly bold claim about malware running rampant in the Google Play Store. The release, dated July 15, 2014, began as follows:
Google Play populated with fake apps, with more than half carrying malware
Potentially evil doppelgangers for the most popular apps are inundating the Google Play store, with many carrying malware, according to a new blog post and report by Trend Micro, a global developer of cyber security solutions.
In the report more than 77 percent of the top 50 apps on the Google Play store have repackaged or fake apps associated with them. This includes:
- 100 percent of the apps categorized under Widgets, Media & Video, and Finance
- 90 percent of the apps categorized under Business, Music & Audio, and Weather
- Approximately 70 percent of the apps categorized under Games, Books and Reference, and Live Wallpapers
The Trend Micro blog post points out that creating fake or repackaged apps contribute to the growth of mobile malware. From the post:
Repackaged applications, which are a category of fake applications, play a crucial role in the proliferation of mobile malware. Like fake apps, repackaged apps use social engineering tactics, displaying similar user interface (UI), icon, package names and app labels as the legitimate/official version of the apps they spoofed. This is done to trick users into downloading fake apps and consequently, generating profit.
This is a striking claim, and if true it would have serious security implications for Android users. So, I decided to test Trend Micro's claims.
On every Android device I use, I run Malwarebytes to ensure I'm not using or writing about a malicious app. For this test however, I also installed Trend Micro's Mobile Security And Antivirus.
I opted to test apps from the Widget, Media & Video, and Finance category — seeing as how Trend Micro claims that 100% of those apps have repackaged or fake apps associated with them. After installing five widgets from the top 100, I ran both Malwarebytes and Trend's own software. Neither scanner found a single threat.
I also checked to see if these same widgets had fake versions associated with them. Not one came up with a fake app on the Google Play Store.
So, what's going on here? Is Trend Micro's research wrong? Where my tests inaccurate?
Fake apps came from third-party sources, not Google Play
To find out, I contacted HCK Partners (which sent out the press release on behalf of Trend Micro). I shared with them the results of my tests and asked about the company's claims that Google Play was "populated with fake apps" of which "more than half" carry malware and that the Google Play is inundated with "potentially evil doppelgangers for the most popular apps".
In response, they walked back both claims and attempted to clarify the information in the original release:
Our research isn't saying that this problem exists exclusively on Google Play because the majority of these problem apps are available in places other than Google Play. We are now aware that this point wasn't presented in a clear enough manner, and based on that feedback we have updated our blog with the following:
Update as of July 17, 2014, 9:08 A.M. PDT:
Note that the fake apps samples we gathered are from third party sources and none was found in Google Play
The point of our research, in fact, is to highlight the risks around apps found in apps from sources other than Google Play.
Apparently, the individual who wrote this release was more than a little overzealous with their charges of rampant malware in the Google Play Store. There's a clear disconnect between the subject line of the release, "Google Play populated with fake apps, with more than half carrying malware," and the company's follow-up statement, "Note that the fake apps samples we gathered are from third party sources and none was found in Google Play".
To state that "77 percent of the top 50 apps on the Google Play store have repackaged or fake apps associated with them" is significantly different than saying 77% of Android apps coming from third-party sources contain malware. And even then, a third-party source could easily include the Amazon app store. Claims like these need facts and sources. Where were these fake apps found? Which specific apps were they?
I understand that people make mistakes and companies often make extravagant claims in press releases. But in this day and age, when a single claim from a reputable source can be the thing that sways consumers from one product to another, you better make 100% sure your 100% claim is 100% true before you send it out to the world.
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.