The standard advice for Android users to avoid downloading malicious apps is simple: Only get apps from the official Google Play Store. Unlike third-party app stores that are generally difficult to vet and validate, Google Play has built-in mechanisms to screen every app for malware, ransomware, and assorted sketchiness. So why, then, has so much malware slipped through lately?

Take just last week, when the security firm Check Point discovered a new strain of Android malware called “ExpensiveWall” lurking in about 50 apps in the Play Store. They had cumulatively been downloaded between 1 million and 4.2 million times. Even after Google removed the offenders, Check Point discovered a new sample of the malware in Google Play (which got removed as well) that had quickly racked up more than 5,000 unique downloads. Meanwhile, researchers at the security firm ESET announced in early September that they had found malicious apps from the BankBot malware family in Google Play. The applications, which had names like "Earn Real Money Gift Cards" and "Bubble Shooter Wild Life," had malware directly in them and were also built to quietly download additional nefarious apps once installed. The list goes on.

While Google has fortified Play’s scanning defenses for years—they now fall under the umbrella of Google's Play Protect security suite—malicious apps frequently slip in, and some attract millions of downloads before Google can find and remove them. Openness is Android's hallmark, and the platform's huge scale is one of its core strengths. But those factors also make the Play Store a diverse morass for Google to police. Malicious applications still best the Play Store’s defenses and threaten Android users.

“Google had to step in and increase their security systems like a bouncer, and created Google Play Protect,” says Lukas Stefanko, a malware researcher at ESET. “Attackers are constantly trying to penetrate [Google’s] security systems."

For some mobile malware researchers, discovering malicious apps in Google Play is like a badge of honor. But they caution that the cat-and-mouse game has real stakes for Android users who could fall into the traps laid by ill-intentioned apps. Some masquerade as more popular software, luring you into downloading the wrong thing. Some hide inside flashy games or attractive customization apps (need a new wallpaper for your phone?) that seem earnest and clever.

App Intruders

Sneaking bad apps through typically doesn't require exploiting elaborate vulnerabilities in the architecture of Google Play. Hackers instead use fairly straightforward tricks and techniques to dupe Play Protect's scanning, including its adaptive machine learning-based mechanisms. Apps can be set up to execute their malicious code on a time delay, so that their shady behavior doesn't start until after they've been accepted. Apps can be packaged such that their malicious components are encrypted and out of view of Play Protect's screening. And some apps don't use any special code at all, but instead attempt to trick users into downloading additional (bad) software directly from attackers' servers, making them difficult to flag as malicious.

"Google invests a lot of resources in defense, but the popularity of Android and the shift into mobile devices just increases the amount of attacks on the platform," says Michael Shaulov, the head of products, mobile and cloud security at Check Point, a company that frequently discovers and reports problematic apps. "Hackers can profile exactly how Google's detection mechanisms work and then use things like time bombs, obfuscation, and hiding their code to sneak in. They're not new tricks, but they're still effective."

Google says that it has made steady progress on thwarting malicious apps, which it calls "potentially harmful apps." The company reports that in 2016, for users who downloaded apps exclusively from the Play Store, there were PHAs on 0.05 percent of devices, compared to 0.15 percent in 2015. But with more than two billion monthly active Android devices out there, Google knows that these tiny percentages can still impact millions of users.