These 224 Malicious Apps Managed to Bypass the Play Store Antivirus Scan.
The Google and Apple app stores have a reputation for being very secure these days. It’s easy to assume that if an app is available in the iPhone App Store or Google Play, it’s safe to download. But Google’s new measures taken this week remind us that things aren’t so clear-cut.
Yesterday, a security report from independent security firm Google revealed that Google recently removed 224 malicious apps from the Android Play store. Human, the security firm that authored the report , dubbed these apps “SlopAds.” These apps bypassed Google’s normal security procedures by using a clever way to surreptitiously install malware on users’ devices, even though they were downloaded directly from Google’s servers.
The principle behind these apps was that if you downloaded them through Google Play, they would work as advertised, without any bloatware. These apps typically marketed themselves as simple utilities or attempted to disguise themselves as more popular apps, like ChatGPT, to trick users into downloading them. Of course, they weren’t the best tools, but if you downloaded them directly from Google, they wouldn’t do any harm.
But the trick is that if you download one of these apps after being directed to the Play Store through one of SlopAds’ ad campaigns, it will also secretly download an encrypted configuration file that, after several post-download checks, will install malware on your device.
Once the device was infected, the app stole its data and began using it to display fake ads on fraudulent websites, maximizing profits.
It was a clever way to bypass Google’s regular review process and a good reminder that even if big companies try to make their app stores safe, you should still be vigilant when browsing them.
How to avoid installing malware on your device
While SlopAds hasn’t been prevented yet, you should still take steps to protect your device when downloading new apps, especially considering SlopAds isn’t the only one infiltrating the Play Store with malware . Here are just a few ways to protect your device when searching for new apps.
Download apps directly from the Play Store
Android differs from iOS in that it allows you to sideload third-party apps onto your device. This can be convenient for smaller developers who may not have the resources to publish their apps on the Play Store. However, sideloading an app that hasn’t been verified by Google carries additional risk. Before sideloading an app, make sure you trust the developer and the APK file being used. Google is currently working on blocking the sideloading of third-party apps if the developer hasn’t been verified (a controversial move, despite the added security), although these changes are unlikely to roll out in most countries until 2027.
Find apps in the Play Store
As SlopAds shows, accessing an app from an external source can involve downloading additional files to your device, which you wouldn’t receive if you found the app through the Play Store’s native search. Always be wary of app links found on suspicious websites, especially in ads. Using the Play Store to find new apps can save you some trouble down the road, especially since Google search is less likely to direct you to suspicious apps than to popular ones that have been confirmed as safe by other users.
Check user reviews and permissions
If you scroll down the page before downloading an app from the Play Store, you can see what permissions the app requires to run on your phone, as well as read user reviews. This can be useful if the app has known issues or the requested permissions seem too generous for its stated functionality. However, this isn’t a one-size-fits-all solution—SlopAds was running in the background without requiring any permissions, and depending on where the user downloaded the SlopAd app, it may not have even installed malware on their device. It’s entirely possible that apps with good reviews could still contain malware.
Enable Google Play Protect
Although SlopAds managed to bypass Google Play Protect, it’s recommended to enable it if it’s not already enabled on your device. SlopAds will check apps for known malware before downloading them, providing an additional layer of protection. SlopAds also periodically scans apps already installed on your device. To ensure SlopAds is enabled, open the Play Store, tap your profile icon in the upper-right corner, and go to Play Protect > Settings . You can also enable the “Improve malicious app detection” setting, which is also located there, to scan third-party apps.
Run a Google Security Check
Finally, you can run a Google Security Check on your device through your web browser. This will help you strengthen your online security and encourage you to take security measures, such as adding a recovery email address or phone number for your Google Account. The program will also display a list of recent security-related activity and generally ensure that even if a malicious app steals your data, you’ll be able to lock them out of your account with minimal hassle.