BACKGROUND:
In response to reports that a malware campaign has infected more than 10 million Android devices from over 70 countries and likely stole hundreds of millions from its victims by subscribing to paid services without their knowledge, experts at cybersecurity firms Cerberus Sentinel and RiskLens offer the following comments.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>The alarming part of this story is that Google Play allowed more than 200 malicious app updates on its app store. Android users implicitly trust Google Play because it comes pre-installed on most Android devices. Where can they turn to if they can\’t trust Google Play? Almost every alternative Android app store is even worse on security.</p>
<p>Play Protect, the antivirus scanner used to check Android apps for malicious behavior, fails to flag a lot of malware on Google Play. According to <a href=\"https://www.av-test.org/en/antivirus/mobile-devices/android/july-2020/google-play-protect-20.7-202909/\" data-saferedirecturl=\"https://www.google.com/url?q=https://www.av-test.org/en/antivirus/mobile-devices/android/july-2020/google-play-protect-20.7-202909/&source=gmail&ust=1633088526814000&usg=AFQjCNE-MxFvmcPTN77mQcdYLVV2Z45VIQ\"> AV Test</a>, Play Protect detected only 52.3% of malware attacks in real time, and 55.1% of malware samples. The average for these two categories among all AV programs tested was 96.9% and 97.3%, respectively. That is not an effective antivirus. Humans probably aren\’t reviewing apps before they\’re published, either.</p>
<p>Google might lower the antivirus\’ strictness in order to catch fewer false positives that prevent legitimate apps from publishing. But the result is that more malicious apps make it past Google\’s scans.</p>
<p>As more organizations consider and adopt \’bring-your-own-device\’ policies, it becomes increasingly important for CISOs to understand and communicate the impact of mobile malware threats in terms the business understands. Only when these risks are understood in financial terms can security leaders effectively prioritize security spending to mitigate the immediate and follow-on effects of compromise.</p>
<p>It’s unfortunate that it’s gotten to the point that you can’t fully trust apps in official first party stores any longer. These store vendors really must do a better job of policing the behavior of the applications they distribute. In some cases, ignorant users may be to blame, such as when they may attempt to download pirated copies of apps from third-party stores, but most users aren’t, nor should they be able to, spot malicious apps or app activity stemming from an official source.</p>