A study of 8,000 of the most popular apps offered for download on the official Google Play app store found that 22% included adware. That's based on scans of the 300 most-downloaded apps in each of the many different Google Play categories, including business, entertainment, finance, games, medical and more.
"We have found around 1,845 applications which are flagged by one or more AV vendors as including adware. This is a big number," said Viral Gandhi, a security researcher at Zscaler ThreatLabZ, in a blog post that called out the "gap between Google Play and AV vendors on adware classification.".
Using Google-owned VirusTotal, which offers free scans of files and URLs to see if they're malicious, Zscaler found that 50% of top entertainment apps, 42% of personalization apps and 18% of education apps were flagged by one or more of the 43 antivirus engines used by the service as being adware. In addition, one in five gaming apps were adware, except for apps categorized as "casual" (26%) or cards (10%).
[ Not sure that post is legit? Read How To Spot A Facebook Scam. ]
What constitutes adware? "Most of the applications were flagged by AV vendors due to their excessive inclusion of ads and deceptive practices for delivering them, including altering device settings," Gandhi said. Of course, many types of software are distributed for "free," in exchange for users being subjected to advertisements. But at what point does aggressive advertising become an unfair or deceptive trade practice?
A Google spokesman, contacted by email, declined to comment on Ghandi's findings. According to developer guidelines, including an ad policy published by Google, however, all apps must offer "users a consistent, policy-compliant and well-communicated user experience," and these requirements "apply to the entire user experience of your application/extension."
Arguably, some types of adware found on Google Play would seem to be hiding what they're doing. As an example of what adware can do, Zscaler profiled the Windows Live Hotmail PUSH mail app, which was flagged as being adware by 21 different antivirus vendors. The app gathers a device's UDID, International Mobile Equipment Identity (IMEA) -- like a serial number -- as well as geo-location, stored contact information, SMS and call activity, and the app can also write to external storage.
For comparison's sake, Apple no longer allows iOS apps to collect UDIDs, owing to privacy concerns.
Adware aficionados might argue that consumers are willing to see ads, and even cede some privacy, in return for getting a free app. But it's worth noting that Windows Live Hotmail PUSH mail has a number of one-star -- the lowest rating that can be given -- reviews on Google Play, many of which suggest that the app doesn't just deliver advertising, but deception.
"Spam. Force pushes adware and as icons to my home screen," said reviewer Dean Cantrell. "Example: Keeps adding candy crush icon to my home screen. I ran an AVG scan when the problem started and I had just downloaded hotmail app. AVG scanned over 7,000 files and found two threats on my phone. This was one of them."
The app also uses the Airpush API, which ties into the Airpush mobile ad network, which many antivirus vendors flag as being an adware pusher. "Despite this fact, there are many apps within the Google Play store that include this API," said Gandhi.
Why does Google allow adware, when so many antivirus vendors flag these apps as being undesirable, if not deceptive? According to Gandhi, Google stands to benefit both from advertising, and enabling developers to offer a large number of apps for Android devices.
"Google wants to encourage developers to expand offerings in their app store and developers often profit from free apps through advertising. Paid apps may also include advertising, in which case, Google takes a direct cut from the app proceeds," he said. "Therefore, Google has plenty of incentive to allow apps with aggressive advertising practices."