A new oversight in Google Pay, the official Android apps store, allows half a million Android users to download malware that infects their smartphones. It is not yet known exactly how serious it can become.

anton-ljungberg-1123711-unsplash-670x410

Another scandal that puts again in evidence the inability of Google to keep the Android ecosystem safe. More than half a million people have downloaded malware directly from the company’s app store.

A computer security researcher, Lukas Stefanko, who works at ESET has published on his Twitter account details of 13 different apps, made by the same developer that could be downloaded from Google Play. Two of these applications were among the most downloaded, which generated much more visibility.

The app deceived those who downloaded it, making it believe that it was a game, but when trying to open it, it failed and closed.

But in reality the malware not only starts but when emulating the bug is downloading another app, installs it in the smartphone in the background and removes the icon of the original app. At the moment it is unknown what it does, but maintains a persistent state, booting again even if the device is restarted.

Because when the app was installed, asked for total permissions to the user – half a million people accepted it – is able to spy on all the traffic entering and leaving the smartphone, which gives the possibility of obtaining private data.

For years the victim has been blamed for ensuring that users should be more careful when accepting permissions for the apps they download, but the reality is that Google has allowed for too long that developers can have all possible access to all the data of the smartphones of Android users, without real ways to prevent it.

It is until recently that Google has implemented more security features in its new versions of its operating system and is slowly trying to prevent developers from obtaining more permissions than are necessary to operate on an Android smartphone.

But if Google Play itself allows developers with bad intentions to offer malware in the official application store, all these efforts will be of little use.