Malware Apps Linger on Market for Weeks, Stringhini Finds

By Patrick L. Kennedy

Even after being flagged as malicious software, malware persists on the Google Play app store for an average of 77 days, Assistant Professor Gianluca Stringhini (ECE) and colleagues found in an unprecedented study of millions of mobile app downloads in 201 countries.

And it isn’t just Google. Malware apps—ranging from criminal attempts at stealing credit card numbers to nuisance apps that display too many ads—stick around on alternative marketplaces for an average of 34 days after being identified as malware. Even individual users fail to delete such apps from their phone for about 20 days after receiving alerts.

But, Google Play has the biggest problem, simply because it’s the biggest player in the Android ecosystem, says Stringhini. Google developed the Android operating system, which runs on more than 70 percent of smart phones globally.

Gianluca Stringhini (ECE)

“Google Play actually targets and takes down more malware than any of the other markets,” says Stringhini. “But the sheer amount of apps they deal with is way higher. Even if just a small fraction of malefactors get through, they can cause a lot of damage.”

For their study, Stringhini and collaborators from Norton Research Group combed anonymized data for 8.8 million daily detections of malware on Android phones in 2019 and 2020, affecting 11.7 million customers of Norton security software. The Norton program detected potentially harmful apps and sent alerts to Google Play and other app stores, as well as to the phone users.

However, that’s all the security program can do. It doesn’t delete the apps; that’s up to the stores and the users. Obviously, the stores can’t keep up, especially not Google Play. “It’s hard to get everything out of your platform when you’re the biggest target,” says Stringhini.

But, why don’t we ordinary phone users respond to the alerts more promptly? That’s less clear. “It could be alert fatigue,” says Stringhini. “If you receive 10 alerts a day about potentially harmful apps, you stop caring. Maybe people don’t really understand what the threat is; maybe the malware doesn’t do anything obvious.”

In a separate paper, Stringhini and Norton colleague Yun Shen propose a potential solution. “What if we could predict what kind of malware applications you’ll encounter in the near future,” asks Stringhini, “and warn you ahead of time?”

This warning system would exploit the same element of app stores that the bad guys do: the predictive software that generates app suggestions. Based on a customer’s previous installations, a store will often unwittingly suggest malware apps posing as legitimate apps. (This happens in that 34- to 77-day period before the malicious apps are taken down.)

Shen and Stringhini’s system, which they call ANDRUSPEX, would use your installation history in a different way. If users with profiles similar to yours have tended to buy the same suspect apps, ANDRUSPEX would suggest these apps to you as ones to avoid. The researchers tested their system and presented the results at the recent IEEE European Symposium on Security and Privacy.

In the meantime, what can you do to protect your phone from malware in disguise? Exercise caution, says Stringhini. Make sure you’re not being offered something too good to be true.

“Oftentimes, criminals will take a paid app and make it free, but add some malicious component,” the professor says. “If the same app is available in both a paid version and a free version, that’s a warning sign.”


Graphic by Gabriella McNevin-Melendez using photography by Tyler Lastovich on Unsplash