Bit9 finds over 100,000 “suspicious or questionable” Android apps in Google Play

by: AdrianNovember 4, 2012

We Android enthusiasts all like to brag about how awesome the openness of our “ecosystem” is and how the number of apps has increased lately to the point of tying up Apple’s App Store, but with so many great things a major concern has risen too.

Android devices seem to unfortunately be weaker and weaker to malware and viruses, with security vulnerabilities pushing Google to include advanced anti-malware protection in the latest OS version, 4.2. That could well cut the evil from its roots, but what are we going to do before Jelly Bean 4.2 will roll out on a wide scale (which, as we know, can take an awful lot of time)?

An easy answer would be to avoid other app stores besides Google Play, as well as “suspicious” apps all-around, but what if such apps are everywhere? We’ve just heard last week that we can’t fully trust top 500 Google Play Apps, and now a new report comes via Bit9 with some even more worrying numbers.

According to the security solutions provider, there are more than 100,000 Android apps in Google Play that can be defined as “suspicious or questionable”, based on permissions requested, categorization and the publisher’s reputation.

Okay, let’s pause here a little. 100,000 suspicious apps?!? Wow, that’s a lot! And it’s definitely worrying. Not to mention that Bit9 only studied 400,000 Google Play apps, with the total number now topping 700,000. Or that 72% of that 400,000 (more than 290,000 aps) are reported to access “at least one high-risk permission”.

Again, it’s worrying, but fortunately there is a “but”. Or two. First off, it sounds as if that categorization has been made a bit subjectively based on “reputation”. Bit9’s report doesn’t really detail what the company understands by that, but it’s obvious out of those hundreds of thousands of suspicious apps there are far less actual malicious apps.

Secondly, things aren’t as gloomy in the accessing of “at least one high-risk permission” department either, because what Bit9 considers high-risk is location or personal info like email or contacts among others. Granted, there are risks that can be associated with the access to such data, but not all app developers use your contacts or email to harm you.

Most of them just send you the occasional promotional offers, which is definitely annoying, but not that “dangerous”. There are also folks who sell phone numbers or emails to third parties, which is more serious, but again not always damaging.

What we’re trying to say basically is, unless they can tell us exactly what apps do to users and not just what they could do, these reports and their numbers shouldn’t be treated that seriously and should be filed to FUD. Then again, you should avoid going from one extreme to the other too, because, even if the Android malware issue is not as critical as some might try to make it look, it is definitely a problem. And one that needs solutions yesterday. Who’s with me?

  • saurabhaj

    Google should stopped such stupid security companies that survey this,
    what the heck.
    More than 1,00,000+ apps on Google play are suspicious,
    man just provide me name of atleast 20 apps in the report,
    then i will believe,but
    if this company had tested so much apps,
    they may be bankrupt due to that apps.
    if not due to virus,definitely due to paid apps purchase.

    • MasterMuffin

      They found for example Google Maps to be suspicious because it can track your location -.-

      • Hoops

        I don’t think anyone (yourself included) thinks that they would brand a mapping application as “Suspicious” or “Questionable” for requesting location information. Sure, they should define the rules of what they consider as suspicious if they want the numbers to be meaningful, but they did give examples, such as simple wallpaper applications that request location, contacts, email etc

        I don’t understand why people are so quick to dismiss the suggestion that there might be a problem.

  • malibu

    what about roms>? lastnight i had installed a version of liquid smooth… and it destroyed almost everything.. it was a virus that wasnt affer info but wiped all my past restore roms… I spent all night putting it back to stock then rooting it again

    • MasterMuffin

      Virus rom? Highly doubt that, you just probably failed something in flashing or thw rom maker failed in something that caused that :)

  • IncCo

    seriously doubt these numbers.. I call BS!

  • I don’t question Bit9’s data but I question their interpretation of what they feel is untrustworthy and suspicious Also Bit9 is not only an analyst but also a provider of security solutions to those that they have surveyed (and scaremongered) which makes _their_ findings arguably unbalanced.
    I also have to question this authors motivation with his ‘Fox’esque headline, the Bit9 blog post based on the survey goes to great pains several times to point out that most apps are not malicious. But judging from this authors headline, we’re all doomed. It doesn’t serve our ecosystem well, but will surely empower the competition.

  • DaGr8Pnoy

    does this effect if you already downloaded one of the apps or if you update the app?