Home Cyber Security News Researchers Highlight How Android Apps Ditch Google Play Store Vetting Process

Researchers Highlight How Android Apps Ditch Google Play Store Vetting Process

by Abeerah Hashim
wallpaper bricks android phones

Google has tightened its policies for application developers in an attempt to prevent malware. The Play Store still includes numerous malicious Android apps targeting users with adware, spyware, and other sorts of malware. Recently, Bitdefender has delved into the details of how these Android apps ditch Google vetting process to appear on the Android Play Store.

How Android Apps Ditch Google App Vetting Process

Researchers from Bitdefender have analyzed various malicious Android apps to see how they ditch Google’s app vetting process. In this connection, they have published a detailed white paper mentioning about their findings.

In summary, they analyzed 25 different apps with cumulative 700,000 downloads on the Play Store. These apps packaged aggressive adware SDKs and employed various tactics to ditch Google’s app review. These include,

Dynamic Loading Of The Encrypted Main Logic

For instance, the ‘Pocket Camera’, which later reappeared as ‘InClip – Video editor app’, prevented detection by excluding the main logic from the app code. It then first loaded a native binary library which further decrypted and loaded the code.

Time Checks And Display Durations

Apps could check the time for being at least 18 hours from a specified time. A ‘true’ check would then let the app display ads and hide. As stated by the researchers,

Check that system time is at least 18 hours after a specific time using a hardcoded numerical value for the time (not a time object), then it starts hiding its presence.

They found at least 10 different apps exhibiting the same behavior. Although they apparently belonged to different developers, the apps shared the same code base.

These apps also exhibited longer time durations between ads display, possibly to evade security checks – the ‘anti-Google Play mechanism’.

The typical display time between ads is currently 15 minutes. However, the first time the application is launched an initial higher wait time of 350 minutes is currently used, probably to avoid user suspicion.

Using Open-Source Utility Library

These malicious apps that Bitdefender analyzed also exhibited other behavior to evade security checks. They used an open-source utility library, such as Evernote or Dropbox, to run background jobs instead of an Android API. The apps also used the same resource to control the ‘ShowAds’ or ‘ShowAdsHideIcon’ activity.

Replacing Clean SDKs With Malicious Ones

Another strategy popular among the app developers to bypass security checks is to initially upload clean app versions. They then replace these with the ones bundled with adware. These apps may or may not exhibit the icon hiding feature as well.

Other Common Strategies To Bypass Play Protect

In addition to the above, other apps also exhibited other types of features to circumvent Google’s app vetting system. These strategies include submitting a similar codebase from various developers, using remote servers to trigger malicious embedded codes, and mimicking clean SDKs.

In some cases, the app developer could simply turn a clean app into a malicious one following a malicious update. Recently, an Android app CamScanner showed similar behavior as it suddenly started delivering malware.

There seems no preventive measure from Google to control the appearance of such apps on the Play Store. Therefore, it solely depends on how users interact with an app.

You may also like

Latest Hacking News

Privacy Preference Center


The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid