back to article Oh, look: More malware in the Google Play store

A quartet of malware-laden Android apps from a single developer have been caught with malicious code more than once, yet the infected apps remain on Google Play and have collectively been downloaded more than one million times.  The apps come from developer Mobile apps Group, and are infected with the Trojan known as HiddenAds …

  1. Pascal Monett Silver badge
    FAIL

    "before adding the malware back in a future update"

    So how is it that said developper is not completely banned ?

    He cannot say that he didn't do it on purpose.

    1. RyokuMas
      Facepalm

      Re: "before adding the malware back in a future update"

      Unless things have changed drastically since I was last developing anything in mobile-space (which was a few years ago, I'll admit), a ban could be worked roun easily enough with another $25 and some new personal details for a new developer account.

      1. MiguelC Silver badge

        Re: "before adding the malware back in a future update"

        Indeed, but it would mean losing the million+ downloads on their account.

        Starting from scratch makes it a lot harder to be on top of apps lists - most people have no problem downloading an app that has been downloaded 100k times, but one that's only been downloaded 17 times? mmmhhh....

        1. RyokuMas
          Meh

          Re: "before adding the malware back in a future update"

          When last I was developing in mobile-space, it was pretty easy to buy a few hundred thousand installs to get the numbers up.

      2. iron Silver badge

        Re: "before adding the malware back in a future update"

        Google does connect the dots and will ban the new account if you try that. There is plenty of evidence of this on r/androiddevelopers.

        1. Anonymous Coward
          Anonymous Coward

          Re: "before adding the malware back in a future update"

          Then why no ban on this guy?

    2. Grogu yoda

      Re: "before adding the malware back in a future update"

      The problem is How JavaScript works.

      To get your Web Browser Office Apps (Google Docs) to Work, JavaScript changed from Interperated to Compiled.

      Compiled Languages are easier to Hack. Interpreted Languages, the Virtual Machine, can See What is Happening at a High Level. Therefore can Check things Thouroughley.

      C# .Net, Java and Visual Basic are Semi Compiled. They're just as Safe as Interperated JavaScript, if ALL Checks are DONE.

      JavaScript is 1/10 th the Speed of C++. Fully Checked C# .net is 1/7 th the Speed.

      C# with partial checking is 1/2 or 1/3rd the Speed of C++.

      C# on the XBOX isn't doing FULL checks and Can be Hacked.

      We're using Minix, with Partial Java / C# Checking. That's equivalent to Full Checking with Speed. The Entire Industry is gonna have to go back 10 years. The Days before AJAX apps. Now, Tomcat EE (PS3) looks pretty good. The Borg are Dead. Nobody to Fix Free Software bugs in Weblogic. The Competition has only got PHP. That's not even good as JSP (PS2). PHP is like C for Web Development. Equivalent to SNES. The days of Website hacking are back. Website hacking Stoped with ASP (PS1) or JSP (Java and Web HTML).

      My Father was Planing to be a Linux distribution and a Software Consultancy.

      Now, he's Microsoft Java Linux and Apple PlayStation VR.

      1. iron Silver badge

        Re: "before adding the malware back in a future update"

        You can obfuscate code in any language, compiled or interpreted does not matter.

        Also this is about Android apps which are mostly written in Java or Kotlin, both of which are compiled to IL so again the compilation of Javascript has no bearing on the matter.

  2. Pascal Monett Silver badge

    "Well over 50 percent .."

    That, to me, says that there's well over 30% that did.

    We're not out of the woods yet.

  3. Anonymous Coward
    Anonymous Coward

    I bet you can't even list apps by publisher

    in crappy Googles crappy Android.

    Which would be the single easiest way to help folk dump dodgy apps if you aren't going to stop them being inserted into the warez you fling.

    I wonder how much longer these outfits can keep up the pretence they aren't liable for any malware they've allowed into their stores. After all, if Waitrose negligence allowed people to infect food with salmonella, you can bet they'd be liable.

    1. Jamie Jones Silver badge

      Re: I bet you can't even list apps by publisher

      Sorry to interrupt your little rant, but in the play store app, you can simply do this to view by publisher:

      pub:Mobile apps Group

      The above links you to this page: pub:Mobile apps Group

      HTH. HAND.

      1. Anonymous Coward
        Anonymous Coward

        Re: I bet you can't even list apps by publisher

        That wasn't what was asked.

        you really must work for Google.

        1. Jamie Jones Silver badge
          FAIL

          Re: I bet you can't even list apps by publisher

          What are you talking about?

          The comment I responded to is even quoted in the title of your reply. Idiot.

      2. Paul Herber Silver badge

        Re: I bet you can't even list apps by publisher

        How does that help though? They look as legitimate as any other app dev.

        1. Anonymous Coward
          Anonymous Coward

          Re: How does that help though?

          Task: remove all apps from a given publisher as quickly and easily as possible.

          Task2: Explain to a complete technophobe how to remove all apps from a given publisher etc etc.

          Now do you see ? If Google are going to pump out shite like this, then the least they could do is make it easy to remove it.

        2. Jamie Jones Silver badge

          Re: I bet you can't even list apps by publisher

          I didn't say it helped.

          I was responding to "I bet you can't even list apps by publisher"

      3. Jamie Jones Silver badge
        WTF?

        Re: I bet you can't even list apps by publisher

        I know we never talk about downvotes, but 6 downvotes for correcting someones snide and inaccurate comment is impressive!

        I'm proud of you, microsoft fanboys wherever you are!

        1. doublelayer Silver badge

          Re: I bet you can't even list apps by publisher

          I'm curious why you think downvoting a post about Google Play's organization has anything to do with Microsoft. The correction was accurate about what could be done, although not very useful to the greater point about removing malware that Google didn't bother to do proactively, but whether you think Google is terrible about malware or the best source of software is independent of your views about Microsoft.

          1. Jamie Jones Silver badge

            Re: I bet you can't even list apps by publisher

            It was a little joke based on the fact that over-the-top Linux fans blame Microsoft for everything - whether factual or not.

            So, I turned it around, tongue-in-cheek. Ok, so it was crappy.

            And my response was "useful" in that it corrected the inaccuracy I replied to - I didn't just post it out of nowhere.

            Google pisses me off bigtime. If you look at my posting history, I've actually criticised google far more than anyone else - including Microsoft.

            But the obvious ranting and inaccurate post needed to be responded to in a similarly obnoxious and stupid way, yet got more downvotes than the parent!

      4. Anonymous Coward
        Anonymous Coward

        Re: I bet you can't even list apps by publisher

        The link displays an odd google play app with a Russian developer and little documentation.

  4. v13

    Use APP for security

    If you want true security, enroll to the Advanced Protection Program. It's free and it limits the types of apps you can install by only allowing apps that have been scrutinized thoroughly.

  5. Anonymous Coward
    Anonymous Coward

    better Android

    maybe if Android was built with security first and not as a Advertising tool, which is what google is. If Android is to ever be secure, it won't be done by goog.

    Time to set it free goog, or keep the reputation of delivering more malware than any other source in ever.

    1. Jamie Jones Silver badge

      Re: better Android

      They are crap with their Play auditing, yes, but as for android itself, tell me what it did wrong?

      What are the security failures when an app uses permissions that it was SPECIFICALLY granted by the user.

      The only "solution" would be to block such facilities altogether - crippling the OS for all legitimate applications that require use of the phone modem etc.

      Indeed, they've already done this with some things. Androids ability to do things is far more restricted now than it used to be - all to appease the people who would click YES to "submit your bank account details, including PIN, and authorise the company to remove all your money"

  6. Anonymous Coward
    Anonymous Coward

    Google is about making money for Google

    It cares nothing for app security.

    Play store?! More like PlayMobil.

  7. TheMeerkat

    Which is why people buying iPhone. At least they control what gets into their App Store.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like