A new app update means a new APK Teardown here at AP. Today's victim is the Google Play Store, which was just freshly updated to 3.9.16. We've got all sorts of stuff to talk about.

A Built-In Malware Scanner

Yes, it's hard to believe, but Google is working on a malware scanner for the Play Store. The string file doesn't lie:

    <string name="package_malware_title">App Check</string>
    <string name="package_malware_consent_text">"Allow Google to check all apps installed to this device for harmful behavior?
To learn more, go to Settings > Security."</string>
    <string name="package_malware_banner_warning">Installing this app may harm your device</string>
    <string name="package_malware_banner_blocked">Installation has been blocked</string>
    <string name="package_malware_recommendation_warning">Google recommends that you do not install this app.</string>
    <string name="package_malware_recommendation_blocked">To protect you, Google has blocked the installation of this app.</string>
    <string name="package_malware_app_name">App name: "%s"</string>
    <string name="package_malware_checkbox_label">I understand that this app may be dangerous.</string>
    <string name="package_malware_consent_title">Verify apps?</string>

Apparently, there are two parts to this. There is something called  "App Check" that will allow Google to inspect every app you've already downloaded, and a doorman-style app blocker that will warn you if an app is suspicious. It also sounds like they will have a "shut up and download it" button, for people that like to live on the edge.

We reported earlier on Bouncer, Google's server-side Play Store malware cop, but this sounds like a new, client-side initiative, possibly the result of their recent acquisition of VirusTotal.


Besides the strings, there's new artwork, which is probably for this feature. The exclamation point signs are all separate pieces, each called some variation of "ic_warning_dark.png," and the shield is called "ic_shield_dark.png." Obviously the warning would be for unchecked stuff, and the shield would assure you everything is ok.

Wish List Progress


The wish list feature we told you about is coming along nicely. The APK has several different styles of buttons - it looks like the earlier "star button" design got canned. Their names are all variations of "ic_menu_market_wishlist.png," and "ic_menu_wish_off_dark.png." The layout file for this is called "wishlist_panel.xml," which immediately conjures up images of the Google+ or YouTube sidebar.

Is anyone else noticing that all the new art is white? I had to add the dark backgrounds, because white on white doesn't look too great. The thing is, the Play Store will have the same problem. I don't see where all this white iconography would fit into the Play Store's mostly-white design. So, since Google is giving us more light icons, I say, expect more dark backgrounds.

There is also ton of freshly-added text for wish lists:

<string name="content_description_wishlist_add">Include in wishlist</string>
<string name="content_description_wishlist_remove">Remove from wishlist</string>
<string name="wishlist_adding">Adding %1$s to wishlist</string>
<string name="wishlist_adding_backupstring">Adding to wishlist</string>
<string name="wishlist_removing">Removing %1$s from wishlist</string>
<string name="wishlist_removing_backupstring">Removing from wishlist</string>
<string name="wishlist_add_success">%1$s added to wishlist</string>
<string name="wishlist_remove_success">%1$s removed from wishlist</string>
<string name="wishlist_add_error">%1$s could not be added to wishlist</string>
<string name="wishlist_remove_error">%1$s could not be removed from wishlist</string>
<string name="my_wishlist_empty">There are no items in your wishlist. To add items, tap the bookmark whenever you see it in the menu above.</string>

Wish lists aren't done yet, there's still obvious missing code for things like the buttons, but it's good to see some progress.

Other Tidbits

Remember in my last APK Teardown, when I said Wallet was getting PayPal-style money storage? It sounds like the Play Store is in for the same thing. There is now mention of a "Google Play Balance":

<string name="topup_success">Added %1$s to Google Play balance.</string>
<string name="topup_not_available">Cannot add to balance, try again later.</string>
<string name="topup_choose_amount">Choose amount</string>

Let's just hope that the Play Store balance and Wallet balance are the same thing. Otherwise things would get confusing.

Update: Turns out the Play Store Balance isn't entirely new, it's what Google has been calling your gift card balance. The string text is still new though, so you'll soon be able to refill it from your device.

Thanks Rob!


And speaking of money, there is now a JCB (that's "Japan Credit Bureau") logo next to the other credit cards. I guess our Japanese readers will be happy about that.

One last thing, remember our multiple user account extravaganza? The Play Store is getting in on the action too:

<string name="app_already_installed_other_user">You cannot install this app because another user has already installed an incompatible version on this device.</string>

That is a strange error message, isn't it? Another user has installed an incompatible version? Meaning what? I guess some apps don't work with multiple users? I'd love to hear your ideas in the comments.

See you next update!

Ron Amadeo
Ron loves everything related to technology, design, and Google. He always wants to talk about "the big picture" and what's next for Android, and he's not afraid to get knee-deep in an APK for some details. Expect a good eye for detail, lots of research, and some lamenting about how something isn't designed well enough.
  • http://k3rnel.net Juan Rodriguez

    I absolutely love your APK Teardown articles. As for the strange error? I'm hoping everyone app allows parallel installs and devs may choose not to allow them.

    Ideally, I'd love to have my Google Account on my tablet and install my games, and let my girlfriend borrow the tablet and play my games without actually messing with my scores or gamesaves.

  • Sorian

    Very nice, Thanks for the APK teardown.

  • http://twitter.com/rohanXm Rohan Mathur

    Articles like this is why I absolutely love AP. Ron, great work!
    P.S. I really hope that PayPal gets added as a future way to add cash to Google Wallet, as I'd love to use some of the cash I have sitting in a PayPal account to buy some apps! (and before you suggest that I deposit it into a bank account, then use that money, I'm in high school).

  • Alchemy08

    Keep doing Google APK tear downs we love them.

    • http://www.androidpolice.com/author/ron-amadeo/ Ron Amadeo

      ok. =P

      Thanks <3

  • http://www.androidpolice.com/ Artem Russakovskii

    As for the error message at the end, I have 2 theories:
    1. This comes up if you're trying to install a different version of an app another user already installed.
    2. This comes up with you're trying to install an app with a different signature compared to another app already installed.

    • http://www.youtube.com/user/no6969el Noel Barcellos

      Yea this is what I was thinking (#1) but it did not seem to care that I was updating the maps with the other account.

    • http://codytoombs.wordpress.com/ Cody Toombs

      Here's another idea. Maybe it's related to enterprise security restrictions. Maybe an enterprise can set version restrictions.

    • masterdebater

      I think Play Store sends app and phone info to a db when it detected that it is incompatible (or with issues) on a specific device and as another user downloads the same app with the same phone on the db, it will flag it and that snippet will appear. A little sneaky but it's for the good.

    • KRS_Won

      Possibly installing a carrier specific app?

  • http://www.youtube.com/user/no6969el Noel Barcellos

    "I guess some apps don't work with multiple users?"

    On my Nexus I have two of my Gmail accounts added. In the Play store I can switch between what email I want to download an application under. If I have a specific application version installed already under one email and I try to install a newer version of that application using the other email this error should happen.

    • Jameslepable

      What does happen? Does it just not install or downloads then error?

      • http://www.youtube.com/user/no6969el Noel Barcellos

        In my test with maps (chosen mainly because I knew I could uninstall the updates) when I updated it under my other account nothing different happened.

  • RedPandaAlex

    Don't know why you'd need client and server side malware protection

    • http://www.androidpolice.com/author/ron-amadeo/ Ron Amadeo

      Me neither.

    • BrianLipp

      probably just as a placebo effect to make people feel safer. its probably safe to assume that a lot of people dont know about Google's server side malware checking, plus all the blogs and "news" sites constantly doing stories about how "There are a billion malware apps on android! its unsafe! hide yo kids!"

    • Oli Lane

      Because you can install apps from places other than Google's servers.

      • RedPandaAlex

        Then it should be built into the OS rather than into the Play Store app.

        • http://codytoombs.wordpress.com/ Cody Toombs

          Nexus devices aside, how often is your phone/tablet getting OS updates? Devices that have been abandoned on anything before Jellybean would never get this feature and it would take at least 2 years before it was even on 50% of devices...Or they can build it into an app that gets updates about every 6 weeks.

          Lest we forget the other reasons to keep it out of the OS. Leading the pack is that custom ROMs might not be allowed to use this feature, it might not be released/licensed for that use. Another great reason, Google can lose control of it when OEMs and carriers get involved. I know that one is unlikely and might violate Android certification requirements that are added to protect it, but I can confidently say that all three of the major OEMs (HTC, Samsung, and Motorola...I'm still not sold on LG) have changed or screwed up core components of the OS with various ROMs they've released and I think they would do it again. Those are just a couple, I'm sure there are more.

          • RedPandaAlex

            Well, I'm just wondering if it's possible for the store app to scan direct apk installs

          • http://codytoombs.wordpress.com/ Cody Toombs

            There are already other apps that function as virus scanners in the same way that we're talking about the Play Store. The Play Store also gets a higher security level (I think it runs as root, but don't quote me on that), so it's allowed to do stuff that some virus scanners can't (unless you've rooted your phone and given them permission). There's no reason to assume the Play Store wouldn't be great for this purpose.

  • ari_free

    But would this blocker work for apps that you downloaded outside the Play store? That's probably where most of the problem comes from. Then again, I don't give a flying duck for people who get malware after downloading pirated apps.

    • Jameslepable

      You get warned when you choose to install from outside the play store. And seeing that most apps installed outside are probably pirated (obviously amazon and get jar not included). Google probably doesn't want to do that as it will sort of promote pirating unintentionally

      • http://blog.firstdove.com/ Christian M. Z.

        That's a huge (and possible untrue) generalization about sideloaded apps. Ever heard of XDA-Developers? It's not just about custom ROMs and kernels you know... Devs there develop apps too.

        • Matthew Fry

          Humble bundle too!

          • http://blog.firstdove.com/ Christian M. Z.

            Ooh~ Good catch.

        • Jameslepable

          :O what I'd this xda you talk about. Of course I know what it is. But most user don't go on xda. So the reason most people use it (general people) will be to pirate apps.

          • http://blog.firstdove.com/ Christian M. Z.

            That's why I said it's a "huge generalization".

            How many people actually sideload? Or even know what sideloading or APKs are? If you frequent Android forums, you'd see a whole lot of users who still doesn't know what the "install from unknown sources" checkbox is all about. Or are even fearful of it. (it's wording does leave a bit to the imagination) A large percentage of the Android community likely still only know of Google Play as the sole avenue for obtaining apps.

            Yet of those who do sideload, many would have also heard of the XDA-Developers forums, which currently boast a membership base of over **4 million** users. Many of them are not developers themselves, that distinction is not important; developers or consumers most (if not all of them) sideload and flashes custom-made software and ROMs/kernels packages on a regular basis.

          • http://codytoombs.wordpress.com/ Cody Toombs

            I know this will come across as a huge generalization too, but China is probably one of the top reasons this is happening. I'm not trying to discuss the issues with Chinese piracy which we do know to be very significant, and yes, I know the reasons. Every time people talk about malware on Android, they are usually pulling their "numbers" from Chinese markets where piracy is much thicker.

            Of course, piracy is only one of the reasons why side-loading is so common in China. One of the things that people don't talk about is that there is a relatively heavy market for apps that have been modified to add Cantonese (and Mandarin) translations to apps that are usually only in Germanic and Latin derived languages.

            Side-loading is extremely common in China for both of these reasons and surely many others. While not everybody there will have the Play Store, at least it stands a chance of reaching many of them. Malware statistics are comparatively awful over there compared to here, and I think Google was motivated to take the initiative to reduce the spread of viruses regardless of the reasons people might be side-loading.

          • http://blog.firstdove.com/ Christian M. Z.

            Actually Cody, *your* hypothesis wouldn't be considered a huge generalization at all. Last I checked, China still doesn't get paid apps support in Google Play.
            (I've even seen forum posts where new phones, such as the Galaxy S III, bought direct from Chinese telecommunications companies, are said to come with no Google Play installed, and upon manual installation, force closes.)

            So to say that many Chinese Android users may be resorting to piracy to get their app fix is unlikely to be far from the truth at all. (why would someone buy a smartphone at high cost if they're unable to get the apps that provide the experience?)

            I don't think that Google's malware scanner not scanning side-loaded apps has anything to do with "not encouraging piracy", but your guess that Google's motivation for introducing such a mechanism in the Play installed apps is an attempt to stem the global spread of malware certainly has merit. It's actually the same reason Microsoft gave for creating the original Windows Live OneCare, and when that didn't work out as a profit channel, they worked hard to produce the free (and, actually pretty good) Windows Security Essential package.

          • Jameslepable

            I could easily enough point to the websites dedicated to pirate apps where the would be malware. Piracy isn't as much a problem that people make out to be but you must realise that a large proportion of people who allow unknown sources are pirating. This is in places like China and India.

          • http://blog.firstdove.com/ Christian M. Z.

            Yes you could do that, but note that supply and demand aren't the same thing.

            Just like having one single Google Play store doesn't mean that only a minority of Android users are buying legitimate apps, neither does having multiple pirate sites mean that the majority are getting them from illegitimate sources.

            Unlike XDA which I mentioned, where visitors ARE to download stuff, many of these sites exists HOPING that people would download. Like businesses, they cater for the supply, but does not guarantee the demand.

            This is why I said it was a huge generalization. Places like China, much higher possibility of being true since they have no official Google support for paid apps. But other places, especially in well developed countries, less likely. The situation is compounded by the fact that many smartphone users, iOS and Android alike, are not really as tech-savvy as you'd expect, and would rather not delve into the unknown if they can help it.

          • Tony NoName

            Talk about a huge generalization! lol.... you take the cake with this one. It's been estimated that over that over 70% of Android device users set them up for side loading. Whether it be downloading music from Amazon or even some Apps from them. Any time you download anything to your device outside of Play Store you are informed.

            That's even if you develop your own Apps. It's to let you know that those App do not go through Google's Bouncer for deadly hidden malware. So unlike Apple, who just refuses to allow you to install even your own developed Apps on your own device, from your own computer, Google doesn't require App signing to install an App. When HTML5 Apps become popular and we're able to pay for them off in secure transactions out of the reach of Apple and Play Stores, what's going to happen then? Will all have Gate Keepers that bounce Apps because Developers and content providers can start earning their money directly w/o paying Apple or Google? Well at least we know that Google won't care and at least we can side load w/o interference of companies like Apple!

  • blunden

    They finally updated the notification drawables for xhdpi. That sure took a long time.

  • Jeffrey Smith

    Regarding the multi-user thing, a couple of interesting additional permissions were added to the manifest: MANAGE_USERS and INTERACT_ACROSS_USERS.

  • IncCo

    This is definitely the best place for android news

    • dude

      Its the only Android news site I've found so far that doesn't involved fanboys constantly throwing personal insults at everyone.

  • Eye4Detail

    I wonder if the "incompatible version" error has to do with Amazon apps. I know that when attempting to update an Amazon app through the Play Store, I get an error message. This new message may have to do with one user having an Amazon app installed and another trying to install the Play Store version.

  • http://profiles.google.com/papa528 Joe Pas

    Plus, it doesn't jump back up to the top of the apps list when you view an app!

  • Name

    I'm not happy with the google spyware.. Reporting what I'm installing and turning it into ads.

    • Josh

      Google already knows everything you're installing from the Play Store and it wouldn't really surprise me if they already know about the apps you've sideloaded too.

      • Thx84

        My guess is this is the way to figure which apps you side loaded and more importantly which ones you stole/pirated

        • Oli Lane

          Then you can turn it off. No problem.

  • tBs_Battousai

    My UK GNex is still on 3.8.17... :(

  • UmangKedia

    Can you plz explain how these malware scanner might work?

    According to me, it will work only for apps downloaded from Play Store. If that's the way its going to work then why can't google scan the apps while they are being uploaded on Play Store? Google can already mark it as suspicious or whatever.

  • eman3316

    When is the Play Store going to allow you to see just your purchase apps without having to look through everything you have ever downloaded! They definitely need some sort of filtering features. How about being able to alphabetize even or look through apps and sort them be rating? I can't believe we do not have these sorting features yet.

  • http://twitter.com/misterE33 Mr E

    Very cool, thanks for the info. This may be a dumb question, but is there anyway to force the Play store to upgrade?

  • Asphyx

    I'm a little confused here...
    I love the idea they are going to scan for Malware before you install an App
    but wouldn't this be better done if they did these checks as the app in question was being uploaded to the store?
    Having a client side check is always a good thing but it's better to incorporate it into the installer not the storefront.apk so it works on side loaded apps as well.
    How good of a malware check can this actually be?

    • Oli Lane

      They already do it server side, it's called Bouncer. This is in addition.

    • Tony NoName

      This is a Scanner Only! .....it does not clean or prevent the App from being downloaded in the first place. It just informs people of the malware and lets them make the decision on whether they want to download it or not!

      Which is a lot better than what Apple or these other stores (Amazon, etc) do. On all these other stores (including Apple's) some malware, adware, tracking, etc and you are only given a disclosure (that no one reads) agreement and that's it. This new Play Store feature won't let any App or Content Developer slide their App past you w/o YOU having the ability to find all the particulars on just what it's doing. It's a Gate Keeper type Bouncer for the Consumer.

      It means NO RED HERRING APPS.... EVER (in Play Store). So even if Google (unlike Apple gets away with) is aiding and abetting unscrupulous developers you'll know about it. Amazon and Apple turn a blind eye to some developer developer's spying and malware activity. Crazy since Apple in particular always claims to be looking out for your best interest. Yet.... every Apple user is supposed to feel all safe and sound inside the their Garden Walled Prison Farm Network! ......meanwhile the Fox is left guarding the hen house for their own scrumptious deserts (their 30% cut on paid Apps)!

      That's why Google is better than them all and always have been. They prefer to inform and give users a Choice and none of the competition does that!

  • http://twitter.com/jdrch jdrch

    Hope the malware scanning includes apps from 3rd party markets (such as Amazon) and sideloaded apps too, that way I can junk Avast.

  • http://en-gb.facebook.com/supermorph Dez Ainsworth

    incompatable meaning side-loaded non free

  • C. Wood

    The My Apps page is not only completely useless, it's completely WRONG! I have 54 apps installed on my phone. My Apps only shows 11 of them. The rest of the page is apps I'll never use again. Which can't be deleted. GRRRR!