Adware is now so deeply buried in Google’s Play store that one in five of the most popular apps are rated a privacy risk by mobile security programs, an analysis by Zscaler has found.
The firm ran the top 300 apps in each of the Play store’s main categories through a wide range of security products, finding that 1,845 were considered ‘adware’ by one or more programs, equivalent to 22 percent of the total.
All of these were marked out for bundling ads inside legitimate apps, sometimes deceptively, with a few even altering device and browser settings. Others captured personal data such as email addresses and device IDs without notifying users in a clear way and went on to push ads.
Concern about the volume of Play adware is not new but Zscaler’s analysis makes some new and interesting points as to why it might be happening, starting with the popularity of a single API, Airpush, used at the core of many apps by developers.
But there is another and more unsettling reason why adware has turned into such an issue – Google’s business model for the Play store is built on it.
“It is in the best interests of Google to appease advertising companies,” said Zscaler researcher, Viral Gandhi. “Google wants to encourage developers to expand offerings in their app store and developers often profit from free apps through advertising. Paid apps may also include advertising, in which case, Google takes a direct cut from the app proceeds.”
In a sense, the rise of adware underlines a conflict of interest. The Android platform needed as many apps as possible to attract users. Once there, these users had to be ‘monetised’.
“Google has plenty of incentive to allow apps with aggressive advertising practices,” Gandhi concluded.
Meanwhile, security vendors were under an equal pressure to spot behaviour that could be construed as being against the interest of users.
“There is a big gap between Google and AV vendors when it comes to adware. Ultimately, end users are stuck in the middle as they are left to decide if they will keep or delete the apps being flagged.”
The two biggest categories for suspect apps were games and personalisation, for instance wallpapers and themes.
Zscaler’s analysis of Google’s motives seems harsh. Ultimately, if users feel they are being fed aggressive adware by too many popular apps, even free ones, they will be put off Android to Google’s detriment. Google might also point out that users are now sophisticated enough to grasp that free apps have to be paid for somehow.
But what is acceptable and what isn’t?
In June, mobile security specialist Lookout publically blacklisted a class of free apps after finding that 6.5 percent of them met its definition of adware. This is lower than that discovered by Zscaler but looked at a far larger number of apps.
In Lookout’s view the real problem is the popularity of a clutch of ad networks embedded in the apps to generate revenue. Some follow best practice but a hardcore don’t. Until Google makes a public stand on what is acceptable for apps the controversy looks likely to continue.