I realized that I had never closed the loop on the flaw I discovered in the Google Play store years back.
I had discovered a missed opportunity for Google's own Safe Browsing
information to inform the Google Play machine learning to detect
suspicious mobile applications and alert users or block those apps and
potentially force them through a human review cycle to verify them.
During
an incident at JP Morgan Chase, we were alerted to a malicious banking
application in the Google Play store targeting JP Morgan Chase
customers. The URL in the Google Play application listing was correctly
flagged by Google's own Safe Browsing API as malicious. However,
Google's Android app review did not consider this information when
deciding to allow the application to be published. Nor did Google Play
take advantage of this information to flag the app for review or
unpublish it or even warn users that the application may be suspicious
due to its association with the malicious URL.
Google chose not to fix this. Closed as "Won't Fix (Infeasible)" ¯\_(ツ)_/¯
It's no surprise to still see articles like this 5 years later, Google Play Store Is Main Distributor of Malicious Apps, Study Reveals. (2020, November 12) and this one from just *yesterday* Malware From Google Play Store Infects 700,000 Users. (2021, April 26)
Their official Android safety page has this gem:
Google Play Protect helps you download apps without worrying if they’ll hurt your phone or steal data. We carefully scan apps every day, and if we detect a bad one, we’ll let you know and tell you what to do next. And we study how it works. Because everything we learn improves the way we screen apps. So you stay safer.Well, they're not using "everything we learn" to "improve the way we screen apps".
https://www.android.com/safety/
My original questions to the Android team are still unanswered:
- Is Google Play store taking advantage of Safe Browsing API data to identify risky appstore apps?
- Is it able to flag app uploads that match risky Safe Browsing data and block them from the appstore unless there is human review, for example?
- Is it able to hide or flag applications that are already in the Appstore so that unsuspecting users do not unwittingly install a likely malicious application associated with unsavory sites?
My original writeup:
Google Play + Safe Browsing = Safer Android Mobile Ecosystem. (2015, April 7). Retrieved from https://truthimperative.axley.net/2015/04/google-play-safe-browsing-safer-android.html
This is an excellent article. I recently discovered your site and wanted to express how much I have loved reading your writings. I'm hoping you'll write again soon. Thank you so much for the excellent information. Well, if you get time, you must checkout my website DedicatedHosting4u.com
ReplyDelete