Ho boy. It seems that at Android enthusiast can't get his head down before yet another malware story slides across his writing desk. This time it's from Japan, where a researcher employed by McCafee found naughty apps in the regional Google Play Store sending private information to a remote server. Carlos Castillo documented his work on McAfee's website. The apps in question are the usual low-quality, generally useless fare, promising video players, anime and sexual content, which they only deliver after stealing personal information. Good grief, they could at least have the decency to engage in some good-old-fashioned piracy while they're at it.
So far the researchers have discovered 15 applications from at least two publishers with around 70,000 total downloads that contain the malicious code, all of which have been removed from the Japanese Play Store at this point. The good news is that the researcher was tipped off by sketchy permissions requested by the app, so checking permissions of apps from the Play Store (as many diligent users do) is still a good way to protect yourself. The bad news is that Google's much-lauded Bouncer protection system seems to have failed, possibly because the apps send the information in plain text. In security terms, it's the digital equivalent of robbing a 7-11 in broad daylight.
Some readers may question McAfee's objectivity in reporting these apps, and rightly so - a few months ago Symantec was caught calling out apps that, while generally useless and filled with ads, weren't technically malicious. But Castillo seems to have done his homework - these apps require sending on personal information, without notifying the user, as a condition of their very function. This backs up the much-used credo: never download apps from a developer that you don't trust. Not even in an official app store.
[via Ars Technica]