A security vendor has found a large number of Android apps in Google Play with overly aggressive adware, raising questions about whether Google is effectively policing its online store.
Zscaler, which provides cloud-based security for mobile devices, on Thursday published research that found one or more antivirus vendors had flagged 22% of the 8,000 popular apps it tested.
"This is a big number," Viral Gandhi, security researcher, Zscaler ThreatLabZ, said in the company's blog. "Most of the applications were flagged by AV vendors due to their excessive inclusion of ads and deceptive practices for delivering them, including altering device settings."
The point at which adware invades a person's privacy is difficult to define. Ad networks pay developers to use their apps to deliver targeted advertising. For the advertisers to deliver ads relevant to the recipient, some personal information has to be collected by the adware installed with the app.
In general, adware invades privacy when it collects more data than what's needed to run the app and does not make it easy for the user to learn what's collected and how it is used.
Zscaler defines adware as exhibiting one or more "intrusive behaviors without requesting appropriate user consent." Those behaviors include harvesting excessive personally identifiable information, collecting the unique identifying number of the device, initiating phone calls and text messages and leaking location information, email addresses, contacts, calendar appointments or other personal information.
Zscaler found that a quarter of the 1,845 adware-carrying apps it discovered were flagged by 10 or more AV vendors, based on VirusTotal's engine for scanning files and URLs for malware. Google acquired the free service last year.
Zscaler claimed its findings illustrated the conflicting interests between Google and AV vendors. While Google wants developers to make money so they'll build apps for the Android platform, AV vendors have to show they can identify bad behavior, which justifies the cost of their products.
"Therefore, Google has plenty of incentive to allow apps with aggressive advertising practices," Gandhi said. "AV vendors on the other hand have no such incentive, but are instead under pressure to show that they are adding value by identifying malicious/suspicious/unwanted content."
Google did not respond to a request for comment, but Sorin Mustaca, data security expert for AV vendor Avira, said Google has been working with AV companies since buying VirusTotal. The collaboration has focused on detecting suspicious apps on Google Play as quickly as possible.
Rather that reflecting a conflict between Google and AV vendors, Zscaler's findings are more the result of the difference in which vendors detect adware, the fact there are thousands of apps to evaluate and the lack of a clear definition for privacy infringement, Mustaca said.
"I think that we will see in time a more clear guideline coming from Google in regards to ads," he said.
Adware commonly flagged by AV vendors include Airpush, Leadbolt, Airmob and Plankton, according to Zscaler. While the ads they display on a smartphone's home screen may be annoying, they are not illegal.
Corporations with employees using their own devices for accessing networks can protect themselves from data leakage through a number of mobile security tools, included device management and AV products.
"For sensitive entities (such as government agencies), there may be some concern here, but in general this is more of an end user problem," said Michael Sutton, vice president of security research at Zscaler.