January 26, 2014
The easiest way for users to search and download mobile apps is to go to app stores. However, one misunderstanding about app stores is that users always think app stores have applied rigid security validations on uploaded apps, and thus apps out there are safe and worry-free.
An investigation by VisualThreat researchers on 38 android app stores from both US and China has shown that major Android app stores only apply either limited or even no security validations at all. As a result, a large volume of android apps in popular app stores were found to have privacy issues or potential threat risks.
“Popular” doesn’t Mean “Safe”
VisualThreat researchers have investigated 38 popular third-party Android app stores from December 2013 to January 2014. In the last blog, “More than 50% of popular Christmas and New Year’s Apps contain adware in the Google App store” they found adware percentage peaked at an all-time high of 51% in the Christmas and New Year categories in the Google Play.
In this blog, let’s take a look at the other 37 third-party app stores. 28 stores are hosted in China, which cover 85%+ of total Chinese Android apps. The rest 9 app stores are based in US. The validation approaches are summarized as the followings:
Fig. 1 shows the summary of security validations applied on 9 popular US Android app stores. None of them specified anti-malware scanner name and risky behaviors along with app descriptions. It might be because android emulator was used at backend for malware detection, or app stores only showed legitimate apps. Neither did they show advertisement, with the aim to keep android ecosystem profitable for mobile developers to on advertisement. For battery usage and official version checking, these issues are not as serious as in China.
Unfortunately, not a single app store showed hidden risk behaviors of apps. For the tens of millions of legitimate apps, users are eager to know more details about these potential threats, e.g. data and privacy leakage risks insides apps.
Since there is not a centralized and authorized app store in China like Google Play in US, app stores are taking more efforts on validating apps from the aspects of anti-malware, copy-cat, advertisement and even battery consumption. For example, more than half app stores deployed 1 to 3 malware scanners, and quite a few listed permission information for each app.
“More Security Validations” doesn’t Mean “Less Risks”
Why? Because what you see is not what has been done. In out understandings, some app stores actually didn’t execute security validations they list on their app webpages due to financial reasons. Otherwise, it would decrease the number of apps listed on the stores, and hurt their business models.
For example, VisualThreat’s threat report on a certain app indicated this app intensively used advertisement SDKs. A user also confirmed this by leaving complains about the injected advertisement. Ironically, “no advertisement” tag still sits beside the app icon as of today.
None of both US and China app stores was able to show risky behavior information, which was exactly the most important information expected from the users. We analyzed risky behaviors of top 20 apps from 2 China app stores. Data & privacy leakage were the most common issues, shown as in Fig. 4.
Current security validations on app stores are very limited to provide real-time and accurate visibility of mobile threat status, even if anti-malware functionality has been deployed. As a leading mobile security vendor, VisualThreat offers the most comprehensive threat report and security certification score for mobile applications.
By providing MobileThreatCert profiles for millions of mobile Apps, VisualThreat enables customers to discover mobile threats in a visual way. The MobileThreatCert is a number between 0 and 100 that represents how risky your mobile app is. The risker your mobile App is, the higher its score. MobileThreatCert measures the threat degree of a mobile app and correlates its contents with mobile malware in the wild.
For more details, please visit www.visualthreat.com.