One thing I noticed when I was investigating this incident was that the Google Play application page has a section that allows a developer to specify a website link, with a name "Visit Website".
|Google Play app metadata, including Visit Website|
I happened to notice that the website link for the application in question also included our brand/company name in the URL. I wanted to visit it to see what else I could learn from what they had on that site. When I clicked on the link, however, it went through a redirect at Google (e.g. https://www.google.com/url?q=http://example.example.com) where Google Safe Browsing actually flagged the URL as a phishing site.
|Google phishing warning|
"Google’s systems use machine learning to see patterns and make connections that humans would not. Google Play analyzes millions of data points, asset nodes, and relationship graphs to build a high-precision security-detection system."I would then imagine Google Play could take one or more of several actions if URLs are provided that get Safe Browsing scores low enough:
- Apps or developers and their apps could be delisted from Google Play until a human has reviewed the URL and app in more detail. Google announced just last month they are going to be augmenting human review of apps in Google Play so this would dovetail with those efforts.
- Google Play could and should include clear, usable UI warnings for users searching and browsing apps about the suspicion/risk so that they can make informed trust decisions.
- The Google Play Verify Apps could further come into play if apps are confirmed malware/badware/Potentially Harmful Apps (PHAs) to warn users who may have already installed such an application or block the app. This would also seem to dovetail with other recently-announced efforts in their Google Android Security 2014 Report to help crack down on these kinds of applications in the Android ecosystem.