Most of these apps have been developed out of Pakistan, India, or Germany, and according to a report, 88 percent apps that belong to Indian organisations can write to users’ external storage.
Although the government is working on a Personal Data Protection Bill 2018 that is expected to pull-up fraudulent app developers, the absence of a stringent law in India is letting some of them take the advantage of loopholes to make money. Google's Play Store has been under the lens several times for apps that reportedly flout users’ privacy and collect needless data. Several security companies have claimed that they have found malicious apps on the Play Store and, for its part, Google has removed them.
Recently, a report cropped up in which a researcher found 19 fake GPS apps with a cumulative 50 million installs. He says that these apps show ads to make money and the then run the native Google Maps application that comes pre-installed on every phone powered by Android OS. It means that the GPS app does not offer anything new but the developer is still making money by flashing ads.
Google already has several combing ops running that weed out apps from Play Store, which either flout its policies or are reported to show inappropriate behaviour, but the truth of the matter is that Googl's app auditing process has failed its users many times over.
I tested over 15 fake GPS Navigation apps with over 50,000,000 installs from #GooglePlay that violate Google rules.— Lukas Stefanko (@LukasStefanko) 17 January 2019
These apps just open Google Maps or use their API without any additional value for user, except for displaying ads.
Some of them don't even have proper app icon. pic.twitter.com/eeIFQS5IVU
Even though Google has removed such apps from the Play Store, when we checked, they still remain on the platform. These apps were discovered by ESET Android security researcher Lukas Stefanko who states that they promote themselves as full featured apps and use screenshots from other legitimate apps to entice users to install them. Once these apps are installed and opened, they simply display an advertisement and then open Google Maps or use their API to display the users current location.
“Purpose of these apps is ad revenue (easy money). They don't have any Navigation technology or know-how, they only misuse Google Maps. Once user clicks on Drive, Navigate, Route, My Location or other option, Google Maps app is opened,” Stefanko said in a tweet. Meanwhile, one of the developers says that the assessment done by the researcher is false and there is more to the app than meets the eye.
“We are shocked about the false assessment of Mr. Stefanko. Yes, we are using Google Maps API (and pay a lot of money for it therefore we show one full screen ad at the app start for monetization). But we extend the functionality of Google Maps by presenting nearby webcams, videos, photos, weather, sights, activities for families, sports, events and outdoor activities, map types for hiking and biking. Did Mr. Stefanko really test the app deeply? We don't violate Google Map's terms of service,” BleepingComputer quoted one of the app developers as saying.
Arrka claimed that a whopping 88 percent Indian apps can write to users’ external storage, 79 percent of them have access to the smartphone’s call details, 66 percent have access to details about users’ email and social media accounts, 50 percent of the apps have access to the camera, 53 percent can read messages and 27 percent have microphone access. The findings also said that 29 percent of the children-friendly Android apps took NO permissions to access the different elements and the same percentage of apps had access to location and phone details.
In a nutshell, Data Privacy is still at a nascent stage in India. There is plenty of dialogue going on and progress has been made on the policy and regulatory front, but when it comes to the privacy, developers and app stores alike have a responsibility to develop and offer only those apps which do not collect user data without their explicit consent or those whose sole aim is to throw ads at users without providing the promised functionality.
Google recently announced that it will remove apps that require SMS and Call Logs permissions from Play Store. On their part, users should also be aware and report any malicious activity by apps to the company. Stefanko states that he has already contacted Google on this but these apps are still present on the Store. Digit has also reached out to Google seeking a response on what the company is doing in cases when such apps are found and remain on the Play Store for long. We will update you as soon as we hear from the company.