How stealthy cyberattacks sneak past Google Play's guard through app updates

How stealthy cyberattacks sneak past Google Play’s guard through app updates

How best can you protect your devices—and yourself—against cyberattacks?

In today’s fast-paced digital world, small businesses and young entrepreneurs leverage advancements to reduce time-to-market and encourage innovation. One such leading innovation is the development of applications for the Android operating system, which is leading the way in mobile, Extended Reality (XR), Internet of Things (IoT), cloud, and edge devices.

Android-based applications have become an integral part of our daily lives, offering convenience and functionality at our fingertips. However, our confidence in downloading these applications, particularly from reputed platforms like Google Play, may be at risk of cyber threats. A study published in the Journal of Ambient Intelligence and Humanized Computing reveals a concern about the vulnerability within Google Play’s vetting process that could compromise user privacy.

It’s essential to keep your mobile apps updated to the latest version, as updates often include security patches that protect against known vulnerabilities. Also, only download apps from trusted sources like the Google Play Store or Apple App Store, which have security measures in place to protect against malicious apps. Be sure to read and understand the permissions an app is requesting before you install it. If an app is asking for more access than it needs to function, it might be a red flag. Lastly, consider using a reliable security app to regularly scan your device for malware.

Zia Muhammad
Figure 1. The photo shows a mobile phone asking the user to update applications.
Credit. DALL·E 2 – OpenAI

Nowadays, Android users face increasing threats from evasive malware that can bypass traditional anti-malware solutions, necessitating a multi-layered approach to security. The study outlines how cyber attackers can cunningly bypass Google Play Protect, a built-in security mechanism designed to scan and filter out harmful applications. Before an application goes live on the Google Play Store, it undergoes a variety of static and dynamic analysis techniques.

The initial screening process for applications submitted to Google Play is much more rigorous than the review process for subsequent updates. For instance, while the initial application submission typically spans seven days, its updates are often accepted within one day. This discrepancy creates a vulnerability that can be—and has been—exploited by attackers. The review process typically takes a few days.

Table 1 provides a detailed timeline of an experiment performed on the Android Play Store, which lasted over one year and two months (61 weeks or 427 days). The initial experiment started on October 31, 2020, and ended on January 1, 2022. Table 1 shows the timeline for research and updates.

Table 1. The table shows the timeline of the experiment
Credit. Author

The study reveals how some developers with harmful intentions are finding ways to bypass this detection mechanism. On a broader level, Muhammad and the research team developed proof-of-concept malware that demonstrates how user trust can be exploited by bypassing Google’s policies.

The researchers found that attackers could initially bypass Play Protect by uploading harmless applications to build credibility. Then, they could introduce harmful feature updates gradually to distribute highly intrusive malware into user systems. This attack is called the Incremental Malicious Update Attack (IMUTA). It is a novel attack in which harmful features are gradually added to an otherwise harmless, publicly available application through multiple updates. This method of attack evades malware detection tools and exploits user trust. In addition, the attack can target any application distribution platform.

IMUTA: A proof-of-concept

The attackers’ weapon of choice? Incremental updates. Let’s break it down:

  1. The Trust Game: Attackers begin by uploading benign applications to Google Play. These seemingly harmless apps gain users’ trust and slip past initial security checks.
  2. The Trojan Horse: Once trust is established, the attackers introduce incremental feature updates. These updates, seemingly innocuous, conceal highly intrusive malware.
  3. The Data Heist: The malware, now nestled within unsuspecting devices, gets to work. It scans and collects private user data—messages, photos, contacts—and quietly exfiltrates it to a command-and-control server. Your privacy is compromised, all without raising alarms.

Figure 2 shows a snapshot of data extracted from smartphones. The implications of this study are far-reaching. It challenges the prevailing assumption that applications downloaded from official app stores are inherently safe. Moreover, it emphasises the need for more robust security policies and mechanisms to protect against such sophisticated attacks. The researchers propose several recommendations, including enhanced scrutiny of app updates and employing code similarity indexing to detect anomalies in-app updates better.

Figure 2. Graphical representation of Firebase data storage hierarchy: the snapshot visualizes collected user data stored in the Firebase cloud service
Credit. Author

This study serves as a wake-up call for both users and platform providers. For users, it underscores the importance of being cautious and well-informed about the applications they download and the permissions they authorise. For platform providers like Google, it emphasises the urgency of reinforcing their vetting processes and adopting more stringent measures to safeguard user privacy and security.

The implications of these findings extend beyond just the Android platform. They serve as a cautionary tale for all digital platforms hosting third-party applications. As technology evolves, cybercriminals also adapt their tactics. The digital guardians of user security must remain ever-vigilant and continuously adapt their defenses to counteract these evolving threats.

Recommendations and suggestions

Here are some recommendations and suggestions for Android users aiming to enhance their security and privacy:

Be careful about what you download and install. Malware can be disguised as legitimate apps, games, or updates and distributed through various channels, such as app stores, websites, or email attachments. Before downloading and installing anything, check the source, the reviews, the permissions, and the app’s reputation. Avoid installing apps from unknown or untrusted sources, and delete any apps you don’t use or need.

Keep your device and apps updated. Updates fix bugs, improve performance, and enhance security. Ensure you have the latest version of the Android operating system and the apps you use. Enable automatic updates, if possible, or check for updates regularly. Refrain from ignoring or postponing updates, as they can protect you from known vulnerabilities and threats.

Use multiple layers of protection. Don’t rely on a single anti-malware solution to safeguard your device, as it may not be able to detect or prevent all types of malware. Use different solutions, such as antivirus apps, firewalls, VPNs, or security patches, to increase your chances of detecting and preventing malware. However, bear in mind that some solutions may conflict with each other or affect the performance or battery life of your device. Choose the solutions that suit your needs and preferences, and configure them appropriately.

Monitor your device and network activity. Pay attention to any signs of malware infection, such as unusual behavior, slowdowns, crashes, pop-ups, or increased data usage. Use tools like task managers, data usage trackers, and network analysers to monitor these activities. If you observe any suspicious activity, scan your device with an anti-malware tool, or if necessary, perform a factory reset.


Stay informed about the risks of installing apps from unknown sources or granting permissions without understanding their implications. Before downloading an app, carefully read app reviews and ratings and check for negative feedback or complaints from other users. Take the time to review and revoke app permissions at any time, and uninstall any unwanted or harmful apps. Update the device’s operating system and security software regularly to fix any vulnerabilities or bugs. Exercise caution when encountering links or attachments from unknown or untrusted sources to avoid malicious downloads.

As we navigate this digital age, striking a balance between innovation and security becomes increasingly critical. Awareness is our best defense. It’s important to stay vigilant and exercise caution even when dealing with seemingly harmless apps. Trust, but verify; regularly update your apps wisely, but scrutinize feature additions.


Journal reference

Muhammad, Z., Amjad, F., Iqbal, Z., Javed, A. R., & Gadekallu, T. R. (2023). Circumventing Google Play vetting policies: A stealthy cyberattack that uses incremental updates to breach privacy. Journal of Ambient Intelligence and Humanized Computing14(5), 4785-4794.

Zia Muhammad is a cybersecurity researcher and a PhD candidate at NDSU’s Department of Computer Science, and a Mancur Olson Graduate Fellow at NDSU’s Challey Institute. Previously, he was a lecturer at the Department of Cybersecurity, Air University. Muhammad also worked as a researcher at the National Cyber Security Auditing and Evaluation Lab (NCSAEL). He has authored several peer-reviewed publications presented at conferences and published in cybersecurity journals.