1.2 % of Google Play Store is Thief-Ware
To be considered a copy, the two software pieces need to share more than 90 percent of the code without including the library code – the bits of code that can be legally used by multiple developers. For instance, an advertising SDK is a library code, or a piece of code that can be used in more apps to show ads.
“These duplicates or repackaged applications should not be mistaken with different versions of an app,” said Bitdefender Chief Security Strategist Cătălin Cosoi. “Here, it’s about a publisher who takes an application, reverse-engineers its code, adds aggressive advertising SDKs or other beacons, then repackages and distributes it as his own.”
Out of the 420,646 applications analyzed, more than 5077 APKs have been copies of other apps in Google Play. Some came with extra modules that radically modify the way the application behaves on the device it is installed on. Some of these applications contain additional modules that are used to access location, to leak the device ID or to connect to social media platforms such as Facebook and Twitter.
Reverse-engineering and APKsBy design, Android applications can be disassembled, modified and reassembled to provide new functionalities. This way an attacker can easily rip an APK off the Play Store, turn it into program code, modify it and distribute it as its own.
Most modifications add a new Advertising SDK in the repackaged app or change the Advertiser ID from the original app so revenue obtained through ad platforms gets diverted from the original developer to the individual who plagiarizes their work.
Other modifications add extra advertising modules to collect more data from the user than the initial developer planned. Moreover, if a developer only collects UDIDs and e-mail addresses initially, a plagiarized application can be extended to place home-screen icons, spam the notification bar and so on to maximize the hijacker’s revenue.