Updated July 30 with new Android 15 release speculation and an update from Samsung on the reported threat to Galaxy users from CVE-2024-29745.
Google’s mission to make Android more like iPhone on the security and privacy front continues. But even as Google shores up Play Store defenses—a new report published this week makes it clear that dangerous threats still get through. Cue the biggest change of all: Google’s mass deletion of low-quality Play Store apps will net many such threats, and it starts August 31, just five weeks from now.
First to the positives. Google has now confirmed by way of its Chrome team that it is confident enough in Play Store’s Play Protect to end “file might be harmful” warnings for users with Play Protect enabled downloading apps from third-party stores.
As Android Authority reports, this update means “[Chrome] will soon use the presence of Play Protect to decide whether to show the alert… While Play Protect initially only scanned new applications that were either uploaded to Google Play by developers themselves or by users when they first sideloaded them, it’s recently been upgraded to perform some app scans on-device in real-time and will soon do even deeper scans using on-device AI. Given these improvements… it’s no surprise the Chrome team now sees the ‘file might be harmful’ warning as unnecessary.”
But now to the negatives. Kaspersky has just warned that it discovered new samples of the dangerous Mandrake spyware on Play Store as recently as April, “while staying undetected by any other vendor.” The team discovered “new layers of obfuscation and evasion techniques” designed to evade detection by Play Store defenses. And if it’s on Play Store, it means Play Protect is not yet able to detect the threat from elsewhere.
All of the malware-laced apps, Kaspersky says “were published on Google Play in 2022 and remained available for at least a year.” These are exactly the type of various, low-quality app that should be picked up by Google’s mass deletion. “According to reviews,” Kaspersky says of one of the apps, “several users noticed that the app did not work or stole data from their devices.”
Mandrake is “a sophisticated Android cyber-espionage platform,” which has been seen repeatedly over the last four years, As for this latest campaign, Kaspersky says “the newest app was last updated on March 15, 2024 and removed from Google Play later that month. As at July 2024, none of the apps had been detected as malware by any vendor, according to VirusTotal.”
If Play Store’s new sweep significantly lessens the treat, as hoped, then attention will turn to side-loading and the third-party stores where such vacuous apps will remain. And while sideloading’s days aren’t over just yet, Google’s Play Store defenses will have expanded to protect even that Wild West as best it can.
Google Play protect isn’t a catch-all, which is why there’s still such a high number of malicious apps making their way onto the store. But once malware is identified, it can look for the same again—and again and again. Albeit it’s proving harder than expected. And if it’s the sweep that removes the threats from Play Store, it means Play Protect won’t necessarily have been updated. Android 15’s live monitoring for suspicious app behaviors, including permissions, will need to plug the gap.
The real focus will be pushing users to view Play Store as their one-stop-shop for apps—and more, per recent updates. Samsung has just upped its own device default restrictions to steer users away from third-party stores or direct downloads, and Google clearly intends to build a better wall around Play Store this year.
The huge decision to delete the many thousands of apps deemed low-quality is more about security and privacy than anything else. It’s this type of vacuous, pointless app that either hides malware or is part of an attack chain that preps a device for malware from a different source, thus bypassing some of these protections.
Google says that apps that will be marked for deletion include those “that are static without app-specific functionalities, for example, text only or PDF file apps, apps with very little content that do not provide an engaging user experience, for example, single wallpaper apps, and apps that are designed to do nothing or have no function. This will have a huge impact on Play Store, and users should be prepared.
And while many longstanding Android users don’t like the implication that Google is moving its OS in Apple’s direction, the reality is that Apple users are substantially better protected against malware than those on Android. Google is playing catch-up.
I have approached Google for any comment on the new Mandrake report.
The days of Android’s Wild West really do seem long gone. Albeit as Kaspersky warns, this latest Mandrake campaign “lurked in the shadows for two years, while still available for download on Google Play.” The risk, they say, “is that stricter controls for applications before being published translate into more sophisticated, harder-to-detect threats sneaking into official app marketplaces.”
And that’s where the next version of Android comes in. Google has just released Android 15 Beta 4.1, which is likely the last beta update before the stable release. With the minimal fixes in 4.1, speculation is suddenly rife that Android 15 “will launch alongside the Google Pixel 9 series which will be unveiled on August 13th.”
Android 15 is the other half to Play Store’s mass apps deletion, the idea being if a malware-laced app isn’t good by the store’s sweep, it’ll be caught by on-device AI looking for markers that might typically be seen with a misbehaving app.
“We are expanding Play Protect’s on-device AI capabilities,” Google explains, “with Google Play Protect live threat detection to improve fraud and abuse detection against apps that try to cloak their actions. With live threat detection, Google Play Protect’s on-device AI will analyze additional behavioral signals related to the use of sensitive permissions and interactions with other apps and services. If suspicious behavior is discovered, Google Play Protect can send the app to Google for additional review and then warn users or disable the app if malicious behavior is confirmed.”
So, would this combination have caught Mandrake? We can’t be certain, but it’s likely that the combination of the mass deletions and on-device flags for permission abuse would have caught it early—it certainly would not have enjoyed such a long run on the store. The hope is that on-device AI targeting apps from any source will continually improve as further markers are identified.
While it looks like Pixel users will be front of the queue for the Android 15’s new security enhancements, owners of Samsung’s flagship phones will not be so lucky. As first reported by SamMobile and followed up by 9to5Google, “Samsung’s first Android 15 beta missed its first scheduled release date, with the debut of One UI 7 now being thought to be as far as almost a month away from launch.”
While a small number of weeks is not a huge issue, there’s now a pattern emerging where Samsung trails behind Pixel devices for security updates. And again it looks like that’s what we will see with Android 15 and live threat detection.
This kind of delay was even more notable recently with the Pixel zero-day fix from June being delayed for Samsung devices until August—as I reported first here on Forbes. Google is doing a better job of prompt delivery of monthly releases than other OEMs, and that is becoming more notable with he passing months.
There is some better news for Samsung users though. Alongside the Pixel zero-day (CVE-2024-32896) that will be patched next month, there was speculation that Samsung devices are also at risk from the more dangerous CVE-2024-29745. I was told by the security researcher that disclosed the vulnerability that while Pixels were patched in April, “other devices don’t have the protection yet.”
Google backed this up, telling me “Android security is aware of this issue, and after further review, this issue does impact Android platform.” However, Samsung has now told me the issue does not affect its devices—as such Samsung users are not at risk.