Safely Downloading Apps

May 13, 2011

Downloading apps safely on Android devices is usually not a problem. Almost all the apps in the Android Market or Amazon's App store are legitimate efforts to provide something useful or fun to you, the Android user. However, there are always jerks out there who will try to take advantage of you. Yesterday I had an unpleasant introduction to just how crooked people can get.

My Saga

I have a popular app called Contact Remover. There's a free version and a paid version called Contact Remover Plus. Yesterday morning I started getting request for support from people using an app calling itself "Delete Contacts." I didn't write any app called "Delete Contacts," but the support requests looked like they were coming from my app, to my support address, and showing an error in the app that indicated something was missing from the app's download file. I was very puzzled.

It took me a while to figure out what had happened, and when I did I was disgusted by what I found. Somebody calling himself "BeeGoo" had taken my real app, decompiled it (meaning pulling it apart into its pieces), changed the name and inserted some malware into it. This jerk then published "his" app, calling it "Delete Contacts." Obviously this is a violation of copyright law and just plain human decency. Fortunately for people who downloaded this app the idiot BeeGoo didn't even hack my app correctly and so it failed all the time. He hadn't bothered to change the support email address embedded in the app, either, so when his app failed all the emails came to me. I was then able to identify the problem and warn the unsuspecting users that they had malware on their phones (my community service for the day ;-).

I've sent requests to every site I could find on which this garbage has been posted. Some have responded promptly, others less so. See the list below.

What Lesson Should You Learn From This?

Check the permissions on apps before you download them. Just after you press the install button in the Android Market you are presented with a screen listing type of access the app will request. This is were you must pay attention! Any app that request Network Communications (full internet access) should be examined very closely. A lot of apps do request this permission because it is necessary to serve adds or work with back-end servers. There are lots of perfectly good reasons to request internet access. But, and this is the big "but," you must then look at what other access the app is requesting. Requesting "Your personal information" access AND "Network communications" access should be a major red flag. Somebody wants access to your contacts AND the ability to send data to any internet server? That's fishy. Before you install any app like that, do a little homework. Check out the developer's web site, maybe email support to confirm that they have a legitimate reason for requesting the access they do.

While I'm not a fan of the exact way Amazon is implementing their app store, they are individually reviewing all apps that are submitted. This means less likelihood that a malware app will get through, but it takes longer to get updates out because we have to wait for approval. Google's market is a free-wheeling wild-west show. New and updated apps are posted constantly. Bug fixes can come out the same day you report the bug. But there's nobody keeping an eye on things except you, the consumer.

In the end, as with all things, you are ultimately responsible for your own safety and wellbeing. If you pay attention to the permissions of the apps you download and perform due diligence on apps that request potentially dangerous combinations, you will have a great and safe Android experience. If you don't pay attention, then there's a chance you're going to get your personal data stolen or worse.

By the way, about 24 hours after informing various sites that they harbored malware, here's who has and has not done anything about it:

Sites that have removed all BeeGoo malware

  • Nobody yet.

Sites that have removed "Delete Contacts" but continue to carry all other BeeGoo malware

  • Google (both market.android.com and the market app)
  • androidpit.com
  • androidzoom.com

Sites that have taken no action yet

  • android.journal.mycom.co.jp
  • andbots.com
  • androlib.com (they emailed me to get the URL but have done nothing else)
  • apps.talkandroid.com
  • appbrain.com
  • androidapps-home.com
  • androidblip.com

After 96 hours (4 days), here's how the various sites have fared:

Sites that have removed all BeeGoo malware

  • android.journal.mycom.co.jp
  • andbot.com

Sites that have removed "Delete Contacts" but continue to carry all other BeeGoo malware

  • Google (both market.android.com and the market app)
  • androlib.com
  • androidpit.com
  • androidzoom.com
  • androidapps-home.com

Sites that have taken no action yet

  • apps.talkandroid.com
  • appbrain.com
  • androidblip.com

It is now July 5th

I don't really feel like spending my afternoon going back and checking all these sites again, but I did want to make one last update on this issue. In the end Google sent me a rather sternly worded email saying that I could not request that they review the validity of the other BeeGoo apps unless I was the legitimate owner of the pirated app and that representing myself as such would be fraud (or some such scary sounding legal language). So I took the time to look up the email addresses for all the other developers who had been pirated and emailed them with an alert and a link to Google's copyright infringement form. I think every single one of them thanked me for letting them know and submitted the form. As of today there is no BeeGoo in the Android Market. However, there is still quite a lot of "goo" out there in some of those other so-called markets.

What ultimately bothers me is how thick Google was about this. If I hadn't taken the time to be a good netizen these apps would still be out there doing whatever evil they were intended to do. A total nitwit could see that these apps were pirated, so why Google couldn't step up and take a tiny bit of responsibility for its own market is utterly beyond my understanding. I guess is just reminds us that, like television networks, Google isn't in business to help their "users", they are in business to deliver eye-balls to advertisers. They give us lots of goodies for free to entice us, but they sure don't treat us like customers.