Malicious adware is still getting onto company mobiles through the Google Play app store - despite heightened security checks introduced by Google, says security firm Lookout.
San Francisco-based Lookout revealed in a blog on Wednesday that two families of adware, HideIcon and NotFunny, have slipped onto Google Play and been downloaded hundreds of thousands of times.
This is despite a revelation by Google earlier this week that it has tightened its review process on apps allowed onto the store.
In a 17 March blog post, Google Play product manager Eunice Kim said: “Several months ago, we began reviewing apps before they are published on Google Play to better protect the community and improve the app catalogue. This new process involves a team of experts who are responsible for identifying violations of our developer policies earlier in the app lifecycle.”
But Lookout comments: “Unfortunately, even official app stores' app-vetting systems are not perfect.”
Lookout found 13 instances of 'HideIcon' and 'NotFunny' on Google Play, which it says have been downloaded between 130,000 and 500,000 times, according to Google's download count.
This follows a similar discovery last month by security firm Avast, which found adware hidden on Google Play inside the Durak card game and others apps, which had been installed at least five million times.
Likewise, Bitdefender last month blogged that it had found “Ten Google Play apps that have been packed full of aggressive adware”.
The repeat adware infections raise the issue of whether CISOs should let staff access Google Play on their corporate mobile devices – and Lancope CTO TK Keanini emphasised the seriousness of the problem.
He told SCMagazineUK.com via email: “With mobile phones playing more and more of a role in our daily lives - payment app, health and lifestyle apps - attackers are going to continue to target these platforms because any exploitation is worth so much in the larger scheme of things.
“Once again, the game is not keeping them out, the game is detecting them and kicking them out when you do. This is not just Google's problem, this is everyone's problem so we all need to watch out for one another when these events happen.”
Dissecting the adware it found, Lookout says HideIcon conceals itself on the mobile device, making it hard to remove, then pushes aggressive ads to the user.
The NotFunny adware pretends to be Facebook and asks the user for permissions including their personal information, messages, location and paid-for services. It too hides and pushes aggressive advertising to the phone.
Lookout says it alerted Google to the adware which was “quickly removed from the store”. But it points out HideIcon had previously been spotted on Google Play in January and removed. “Somehow HideIcon slipped back into the Google Play system,” the blog says.
Despite this, Lookout European managing director Thomas Labarthe defended Google. He told SCMagazineUK.com via email: “Google does a lot to ensure people stay safe when using Play. While some bad things have slipped through, it has overall remained a very trusted place to download applications and we think they're doing a good job.”
But Labarthe advised users: “You should have many layers of defence - a security application that can keep you safe from what does slip through. Collaboration is also key. Google should continue working diligently with the security community as we have seen it do in the past.”
Tyrone Erasmus, head of the mobile practice at MWR InfoSecurity in South Africa, advised corporate users to be cautious in using Google Play.
He told SCMagazineUK.com: “People can trust that Google will give their best effort to thwart occurrences of malware. However, it does not seem that Google wants these efforts to affect the ease with which developers can get apps onto the Play Store.”
Erasmus added: “A security-conscious organisation will not be affected by this. Such an organisation would make use of a mobile device management (MDM) solution that restricts the installation of applications. However, if an organisation does not do this, then the data on the devices could certainly be exposed by these malicious applications.
“When corporate assets and access to corporate services are available from a mobile device, it should be as locked down as possible. Simply trusting employees to act in the best interest of security all the time is a flawed strategy.”
The adware issue follows news that Google has quietly scaled back its commitment to introduce “encryption by default” on all phones running its new ‘Lollipop' Android operating system – giving manufacturers more time and keeping the feature optional because it impacted phone performance.