The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study — considered the largest one of its kind carried out to date.
Using telemetry data provided by NortonLifeLock (formerly Symantec), researchers analyzed the origin of app installations on more than 12 million Android devices for a four-month period between June and September 2019.
In total, researchers looked at more than 34 million APK (Android application) installs for 7.9 million unique apps.
Researchers said that depending on different classifications of Android malware, between 10% and 24% of the apps they analyzed could be described as malicious or unwanted applications.
But the researchers focused specifically on the “who-installs-who relationships between installers and child apps” to discover the path malicious apps take to reach user devices.
The research team said it looked at 12 major categories that result in app installations, which included:
- Apps installed from the official Play Store
- Apps installed from alternative markets (aka third-party app stores),
- Apps downloaded via web browsers
- Apps installed via commercial PPI (pay-per-install) programs
- Apps installed via backup and restore operations
- Apps installed from an instant message (IM)
- Apps installed via phone theme stores
- App installed loaded on disk and installed via the local file manager
- Apps installed from file sharing apps
- Apps preloaded on the device (bloatware)
- Apps installed via mobile device management (MDM) servers (apps installed by enterprises on their employee’s devices)
- Apps installed via package installers
The results showed that around 67% of the malicious app installs researchers identified came from the Google Play Store.
In a distant second, with 10%, came alternative markets, dispelling a pretty common assumption that most Android malware these days comes from third-party app stores.
The research, titled “How Did That Get In My Phone? Unwanted App Distribution on Android Devices,” is available for download in PDF format and was authored by researchers from NortonLifeLock and the IMDEA Software Institute in Madrid, Spain.
A Google spokesperson did not return a request for comment sent almost three weeks ago.