Never Ever (Ever) Download Android Apps Outside of Google Play

5 December 2016

This week, researchers revealed that a strain of malware hit at least 1.3 million Android phones, stealing user data as part of a scheme to boost ad revenue. Called “Gooligan,” it got into those devices the way so many of these large-scale Android attacks do: through an app. Specifically, an app that people downloaded outside the comfortable confines of the Google Play Store.

For criminals, the malicious Android app business is booming. It’s easy for a hacker to dress software up to look novel, benign, or like the dopplegänger of a mainstream product, and then plant it in third-party app stores for careless browsers to find. Once downloaded, these apps may even seem normal (if a little janky) but they can spread ransomware or types of malware that exploit system vulnerabilities to steal data or take over a whole device. Don’t want this drama on your phone? The key to protecting yourself is staying away from sketchy app stores, and only downloading software from Google Play.

Android’s open-source status makes it easily accessible to developers, but also leaves the door open for malicious apps. (Apple’s App Store isn’t immune from this issue, but it’s much less severe.) Google carefully vets the products in Play to make sure they’re safe. Rotten apps do slip through on occasion, but the company is fairly quick at removing anything problematic. “Google Play automatically scans for potentially malicious apps as well as spammy accounts before they are published on the Google Play Store,” Google said in a statement to WIRED. “We also introduced a proactive app review process to catch policy offenders earlier in the process and rely on the community of users and developers to flag apps for additional review.” There’s usually no way to know whether third-party app vendors offer this (or any) type of oversight. And malicious apps aren’t a minor threat.

“We work three to four cases a week around apps that have been seeded within the secondary app store market that conduct a variety of attacks from stealing money to rooting a phone for information stealing purposes,” says Dan Wiley, the head of incident response at Check Point, the security firm that discovered Gooligan. “When you buy or download an app from the genuine store a number of controls are in place to detect the fake and hostile apps. When you get your apps from somewhere other than the official stores, well, instead of just not getting the real thing you could lose your money, lose your personal information.”

One problem confronting Android in particular is the broad range versions, and manufacturer-imposed “skins” on top of those versions, in the wild. Nearly half of current Android users are on devices running Android 4.4—which came out three years ago—or older. This puts devices at risk because hackers can continue to successfully exploit known Android bugs for years even though they have been patched in more recent firmware updates, a strategy malware (like Gooligan) often relies on.

The most important way to ensure that your apps are legitimate is to navigate to the Google Play Store first, then search for what you want and download it there instead of using a search engine (or email from a coworker you barely know) to find a random link that may or may not lead to a legitimate source. By intentionally going to the Play Store first, you give yourself the best chance of downloading safe apps. “I definitely recommend getting things from the official sources,” says James Bettke, a counter threat unit researcher at the security intelligence firm SecureWorks. “Think before you click. Google Play establishes trust. You can trust that that app is made by a certain vendor or individual. With a third-party store you don’t know what you’re getting.”

One exception may be Amazon Underground, an app store which the retail giant created to work in parallel with Google Play so that Amazon wouldn’t have to share revenue, and could experiment with non-traditional app business models. Though staying in Play is the safest option for now, reputable third-party stores are possible, they’re just rare, because vetting apps to ensure security requires significant investment.

That’s true today more than ever. As desktop browsing declines and more people spend time on their mobile screens, apps are an increasingly appealing and lucrative target for hackers. “More and more critical functions and transactions are being executed through the apps,” says Sam Rehan, chief technology officer at the mobile security firm Arxan. “At the rate that online transactions are growing, things will only get more intense.”

Besides, no bubble-bursting game is worth leaking your personal data or a stolen identity. And it’s not like you don’t have millions of safe apps to choose from.

- Wired