Google failing to protect you from bad BBM apps, experts say

Fake BBM Android apps are still fooling phone fans looking for the official BlackBerry Messenger app. So why hasn't Google done something about the phoney apps polluting Google Play? With multiple imposters claiming to be the official BBM app in Google's official Android app store, security experts have condemned Google's failure to clean up its own back yard.

"I have about as much faith in Google's ability to protect the official Play store from bogus apps as I do getting Norman Wisdom to defend the Crown Jewels," says security expert Graham Cluley. "Time and time again, Google has proven itself to be sloppy and too laid-back in regards to what apps can get into the official app store."

When BlackBerry announced BBM would come to Android phones, scammers quickly filled Android app store Google Play with fraudulent apps, using official-looking BBM logos and text lifted from genuine sites, posted to the app store by realistic-sounding company names. Dodgy user reviews endorse the apps, prompting keen BBMers to download apps that are at best fake and at worst stuffed with malware.

Is Google responsible?

"Google has a responsibility to remove apps if they are fake and/or malicious," says David Emm, senior security researcher at Kaspersky Lab. Graham Cluley added, "It would be trivial for Google to remove apps which are clearly infringing upon BlackBerry's trademarks and copyright, and I would be surprised if BlackBerry itself hasn't complained.

"Why hasn't Google cleared out the unofficial BBM apps from the official Android marketplace? I guess they don't consider it a priority."

"It is a great disappointment to see the Play Store apparently so easily abused like this, and Google really needs to clean up its patch," says Paul Ducklin, Senior Security Advisor at Sophos, who identifies sham BBM apps as just the latest in a line of pretender software in Google Play.

"We've had fake Apple apps," Ducklin points out, "which you might have expected Google to spot, given that Apple has something in the way of a rival mobile ecosystem and doesn't actually produce Android apps at all. Same thing all over again with Nintendo, which doesn't publish its games on Android, yet was the victim of bogus apps that surely should have been obvious.

"And we've had companies that do produce Android apps targeted by imposters with apps that don't even try to look like or behave like the original."

In keeping with Google's open source philosophy, Google Play is open to anyone to add their apps -- a far cry from Apple's restrictive walled garden, where every app is checked and approved before it's allowed into the hallowed ground of the iTunes App Store. "You can't imagine Apple allowing this to be the status quo in its tightly-controlled app store," says Graham Cluley.

Is Google doing anything to protect you?

Google does make an effort to keep your phone safe. "Historically, Google has removed fake apps, especially if they are shown to be malicious," says David Emm. But the problem with the flood of fake BBM apps, according to Christopher Boyd, senior threat researcher at ThreatTrack Security, is that "as fast as they're taken down, new fake apps take their place."

Android includes a system called Verify Apps that checks an app when you download it to your phone, matching against a database of malware. Meanwhile Google Play is protected by software called Bouncer, which scans new and existing apps for malicious behaviour.

But security researchers have found that wrong'uns can beat Bouncer by hiding bad behaviour until after Bouncer has scanned an app, or slipping in dodgy dealings later via updates to apparently benign software.

What does BlackBerry think?

"Blackberry can certainly contribute to having these apps taken offline," says Christopher Boyd, "but there are so many moving parts in large spam attacks that it's hard to work out who should be doing what. Android users, Google, and the targeted brand all have a part to play."

In this case, the targeted brand has explicitly blamed rip-off apps for delaying the official app. But BlackBerry stops short of giving Google a kicking: "We are in regular contact with Google and alert them when we notice fake apps appearing in the store," BlackBerry told me this week. "Google manages the removal of the apps based on Google Play policies."

I contacted Google to find out what the company is doing to tackle fake BBM apps, but Google declined to comment.

Malware takes different forms, from spyware that tracks your browsing and activity on your phone, to fraudware that makes high-priced calls and texts to premium numbers. In fairness, most Android malware comes from other, third-party app stores -- so be extra-cautious if you must use other app stores.

But the presence of any fake apps at all in Google Play, especially for such a high-profile app, is surely unacceptable. The Big G must face the fact that not everyone is tech-savvy enough to avoid scammers, and should do more to protect its users.

Should Google clean up its act, or is a bit of danger part of Android's charm? Do you feel safe downloading apps from Google Play? Is safety from dodgy apps in the Apple App Store worth losing the freedom found in Google Play? Tell me your thoughts in the comments or on our Facebook page.