Bit9 finds over 100,000 “suspicious or questionable” Android apps in Google Play

November 4, 2012
8
207
90 44 73

We Android enthusiasts all like to brag about how awesome the openness of our “ecosystem” is and how the number of apps has increased lately to the point of tying up Apple’s App Store, but with so many great things a major concern has risen too.

Android devices seem to unfortunately be weaker and weaker to malware and viruses, with security vulnerabilities pushing Google to include advanced anti-malware protection in the latest OS version, 4.2. That could well cut the evil from its roots, but what are we going to do before Jelly Bean 4.2 will roll out on a wide scale (which, as we know, can take an awful lot of time)?

An easy answer would be to avoid other app stores besides Google Play, as well as “suspicious” apps all-around, but what if such apps are everywhere? We’ve just heard last week that we can’t fully trust top 500 Google Play Apps, and now a new report comes via Bit9 with some even more worrying numbers.

According to the security solutions provider, there are more than 100,000 Android apps in Google Play that can be defined as “suspicious or questionable”, based on permissions requested, categorization and the publisher’s reputation.

Okay, let’s pause here a little. 100,000 suspicious apps?!? Wow, that’s a lot! And it’s definitely worrying. Not to mention that Bit9 only studied 400,000 Google Play apps, with the total number now topping 700,000. Or that 72% of that 400,000 (more than 290,000 aps) are reported to access “at least one high-risk permission”.

Again, it’s worrying, but fortunately there is a “but”. Or two. First off, it sounds as if that categorization has been made a bit subjectively based on “reputation”. Bit9’s report doesn’t really detail what the company understands by that, but it’s obvious out of those hundreds of thousands of suspicious apps there are far less actual malicious apps.

Secondly, things aren’t as gloomy in the accessing of “at least one high-risk permission” department either, because what Bit9 considers high-risk is location or personal info like email or contacts among others. Granted, there are risks that can be associated with the access to such data, but not all app developers use your contacts or email to harm you.

Most of them just send you the occasional promotional offers, which is definitely annoying, but not that “dangerous”. There are also folks who sell phone numbers or emails to third parties, which is more serious, but again not always damaging.

What we’re trying to say basically is, unless they can tell us exactly what apps do to users and not just what they could do, these reports and their numbers shouldn’t be treated that seriously and should be filed to FUD. Then again, you should avoid going from one extreme to the other too, because, even if the Android malware issue is not as critical as some might try to make it look, it is definitely a problem. And one that needs solutions yesterday. Who’s with me?

Comments