Should Google Act Faster to Remove Malicious Copycat Apps?
Pinterest Stumbleupon Whatsapp

Open source software is awesome. You have a choice of thousands of free applications, giving you a choice of how to support the developers. Some ask for a donation, others display an occasional advert, and so on. The important thing is that open source developers receive at least something in exchange for their work.

There are downsides to open source development too. For instance, anyone can take your work, clone it, change subtle details, and republish as if their own.

What happens in those instances? Can the original developer protect their work? Will the fraudulent “developer” suffer any consequence?

Google, VLC, and the Copycat

VLC is one of the best media players around 6 Awesome VLC Features You May Not Know About 6 Awesome VLC Features You May Not Know About There's a reason VLC is called the Swiss Army Knife of media players. This article identifies six awesome VLC features and explains how to use them. Read More . Loved by desktop and mobile users alike, VLC is an open source giant. VLC downloads stand at a phenomenal 2,495,411,000. That’s right: over 2.4 billion downloads.

VideoLAN, the development team behind VLC, recently confirmed that they turned down tens of millions of euros to bundle advertising with their software.

Advertising within an open source app isn’t against any free license Open Source Software Licenses: Which Should You Use? Open Source Software Licenses: Which Should You Use? Did you know that not all open source licenses are the same? Read More (depending on who holds copyright). But a core ideal of the open source platform is keeping the development direction clear of distraction; for many developers that means steering clear of advertisements that generate profit for other companies. That’s not to say there aren’t developers that use advertising as an income stream.

VideoLAN, however, has long made it clear that their product will never feature advertisement. So imagine their surprise when an ad-supported Android clone that clearly breaks the VLC GPL (General Public License) soared to between five and ten million downloads, generating huge profits for its fraudulent owner in the process.

The app was available on the Google Play Store, but for a lengthy period, Google did nothing. This, despite thousands of people reporting the apps as a clone and flagging the developer as malicious.

321 Media Player

There were several offending VLC clones, the worst of which was 321 Media Player. Despite being a direct clone featuring ads, the app racked up a 4.5 rating from over 100,000 reviews. A second clone, Indian VLC Player, had more than 500,000 downloads and a similarly high rating (though fewer reviewers).

google malicious copycat apps

Quite simply 321 Media Player took VLC, added a bunch of ads, tried to cover it up by using the Media Players Classics icon (another open source media player for Windows), and didn’t even attempt to credit VideoLAN. Talking to Torrent Freak, VideoLAN President Jean Baptiste Kempf confirmed the copycat app is in breach of the VLC GPL.

“The Android version of VLC is under the license GPLv3, which requires everything inside the application to be open source and sharing the source,” Kempf says. “This clone seems to use a closed-source advertisement component (are there any that are open source?), which is a clear violation of our copyleft. Moreover, they don’t seem to share the source at all, which is also a violation.”

Copycat Apps

One of the most surprising things is the sheer number of downloads the copycat app amassed. The Android community usually flags copycat and malicious apps quickly, letting Google know it needs removing. The process appears to have come unstuck in this instance.

In fact, VideoLAN filed DMCA complaints “several times” but each time—due to the DMCA process and Google Play Store policy—the copycat app was able to reactivate. But 321 Media Player is just the tip of the VLC-copycat iceberg. In a post to the Android subreddit, Jean Baptiste Kempf lists another 21 ad-supported copycat apps, as well as a paid option. (Since making the post several of the copycat apps have disappeared, but many more remain.)

It is not a great look for Google and the Google Play Store. Unfortunately, the Google Play Store is rife with copycat apps. On the other hand, Google does recognize it as a significant problem and is working to combat the waves of copycats.

In 2016, Google identified and removed 210,000 apps. In 2017, this number was 700,000, a 70 percent increase. And of those 700,000, some 250,000 were direct or slightly modified copycat apps, “using confusable Unicode characters or hiding impersonating app icons in a different locale,” or even switching logos. And while the VLC copycat apps seek to profit from advertising revenue, copycat apps are inherently dangerous.

There is more at stake than just advertising revenues. A copycat app is an easy source of malicious code. Unsuspecting users download apps without checking if the developer’s details, if there are “red flag” reviews, or even if the download numbers match up. And if a user goes off-piste and uses an unverified third-party store or website, the chances of bumping into a malicious app further increases.

Avoiding Copycat Apps

Google’s Play Protect security suite is making it easier How Google Play Protect Is Making Your Android Device More Secure How Google Play Protect Is Making Your Android Device More Secure You may have seen "Google Play Protect" popping up, but what exactly is it? And how does it help you? Read More for Android users to spot malicious apps. Openness is part of Android’s allure Is Android Really Open Source? And Does It Even Matter? Is Android Really Open Source? And Does It Even Matter? Here we explore whether or not Android is really open source. After all, it is based on Linux! Read More , but also what makes it an easy target for scammers and malware purveyors How Does Malware Get Into Your Smartphone? How Does Malware Get Into Your Smartphone? Why do malware purveyors want to infect your smartphone with an infected app, and how does malware get into a mobile app in the first place? Read More . As ESET malware researcher Lukas Stefanko says, “Attackers are constantly trying to penetrate [Google’s] security systems.”

google malicious copycat apps

But for the most part, steering clear of malicious apps requires user knowledge and diligence. Double-check user reviews. Cross-reference the number of downloads. Examine the developer profile and check the developer’s other apps (for instance, the official Microsoft Corporation developer account features Word, Excel, Outlook, PowerPoint, and so on). Allow Google Play Protect to scan your apps periodically. And remember, if it is too good to be true, it probably is; while some premium apps do occasionally appear for free, all of the above still stands true.

Of course, in the case of 321 Media Player, using this list is slightly tricky. At first glance the app has great reviews, a solid number of downloads and Google allows the listing on the Play Store. But on closer inspection, the copycat app’s negative reviews were mainly alerting unsuspecting users as to the issue (whether they care or not, in the specific situation, is another thing). With that in mind, vigilance is key.

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Marilyn
    February 22, 2018 at 8:30 pm

    How can I delete old material from my Facebook without deleting someone as a friend? I am trying to free up some storage space.

  2. dragonmouth
    February 22, 2018 at 1:58 pm

    "anyone can take your work, clone it, change subtle details, and republish as if their own."
    That is the nature of GPL'ed Open Source. That is why DistroWatch, as of 2/18/18, has 307 Active Linux distributions, with 176 more waiting to be included on the Active list and another 41 waiting to be evaluated. Do you seriously think that all of those 524 distributions are totally unique? From being a distro-hopper, I can tell you that a great number are nothing more than copycats that differ only in cosmetic details and/or apps included.

    Doesn't Google vet applications before making them available in its Store? Or do they allow anybody and everybody to dump their crap into the Store database? HOW was it even possible for 910,000 bogus apps the get into the Store database unless Google chose not to control the process in any way. I suspect the reason for the copycat apps still being in Google Store is that Google is making money off of them. If they wern't and the bogus apps were hurting Google's reputation, they'd be gone in a New York minute.

    "Google considered ‘bad apps’ to be ones that install malware on targeted operating systems, steal data, copycat legitimate apps, or contain inappropriate content."
    Google management ought to look in the mirror first.. While Google apps do not (as far as we know) install malware, contain inappropriate content or are copycat versions, they certainly do harvest data. Whether "harvesting data" is the same or similar to "stealing data" is for semanticists to battle over.

    "Openness is part of Android’s allure, but also what makes it an easy target for scammers and malware purveyors. "
    1) Android environment is only partially Open Source.
    2) Anybody can examine Open Source software to check for malicious or questionable code. That is one of the reasons Linux software does not contain or install malware.
    3) The only conclusion I can draw is that Google is not doing its job of checking the Open Source software submitted for inclusion in Google Store. Therefore, they have nobody to blame for the proliferation of "bad apps" but themselves.