Just like any open marketplace, there's a lot of crap in the Play Store. In a strange and roundabout way, I'm actually OK with that - separating the silver from the dross of Android apps is one of our core functions at Android Police. But a recent promotion from antivirus vendor Trend Micro painted an extremely dim picture of the Play Store. The company claimed, among other things, that the Play Store was full of "potentially evil doppelgangers... with many carrying malware."

Trend's report of the situation (PDF link) was chilling, reporting that 100% of the Top 10 apps in the Finance, Media & Video, and Widgets categories had fake apps associated with them, along with 90% in the Business, Music, and Weather categories. The report claimed that more than three-quarters of the Top 50 apps overall had fake versions.

fake1

Furthermore, it claimed that fully half of the apps categorized as "fake" were malicious, i.e., containing adware, malware, or other nasty stuff.

fake 2

The rest of the report contains various horror stories, including fake Flappy Bird apps that used chargeback SMS messages, fake BlackBerry Messenger apps with aggressive advertising, and oh yeah, a section on a certain "Virus Shield" app that you might be familiar with. Improperly cited, I can't help but notice.

fake 3

Here's where things get ugly. A press release issued to various tech publications to promote Trend's blog post and the report itself used language that might make P.T. Barnum blush.

Google Play populated with fake apps, with more than half carrying malware

Potentially evil doppelgangers for the most popular apps are inundating the Google Play store, with many carrying malware, according to a new blog post and report by Trend Micro, a global developer of cyber security solutions.

Jack Wallen, a writer for Tech Republic, read through the report and blog post and thought things seemed a little fishy. After searching for fake versions of the top finance, media, and widgets in their categories, Wallen came up with zero results on the Play Store. That's a far cry from Trend's claim that essentially all of the top apps in these categories had doppelgangers running around, half of which were "potentially evil."

It turns out that Trend Micro is guilty of a little over-eager language that obfuscated the nature of some of these threats. While there are indeed fake versions of many popular Android apps available for download, Trend failed to mention in their initial promotion for the report that the apps in question were posted outside the Play Store, and had to be installed manually in what's commonly known as a side-load. This requires users to download the app in a browser, ignore a standard security warning about APK files, and disable a security option in Android's main settings menu. Trend's reply to Wallen highlighted this [emphasis ours]:

Our research isn't saying that this problem exists exclusively on Google Play because the majority of these problem apps are available in places other than Google Play. We are now aware that this point wasn't presented in a clear enough manner, and based on that feedback we have updated our blog with the following:

Update as of July 17, 2014, 9:08 A.M. PDT:

Note that the fake apps samples we gathered are from third party sources and none was found in Google Play

The point of our research, in fact, is to highlight the risks around apps found in apps from sources other than Google Play.

To my mind, Trend's biggest mistake was including descriptions of legitimate malware threats found outside the Play Store alongside those of merely fake (and basically benign) apps inside the Play Store. The only example of a truly harmful app found inside the Play Store was "Virus Shield," a useless paid antivirus pretender that Android Police exposed earlier this year. The app was subsequently removed from the Play Store, and Google issued refunds to customers who purchased it. Antivirus vendors like Trend Micro and security research companies have an interest in demonstrating the dangers of computer security... and a history of sometimes overstating that danger.

Make no mistake, there are real security threats to Android users from fake apps. But the Play Store remains surprisingly safe, Even outside of the Store, Google's internal metrics estimate that about 1 out of every 100,000 malicious apps identified by the Verify Apps feature built into Google's non-AOSP software suite actually gets through various defenses and harms users. As has always been the case with computers of any kind, the danger ramps up when you disable built-in security measures, ignore warnings, and download programs from untrusted sources.

Source: Tech Republic