If you own an Android smartphone, then the place you go to get your apps is most likely the Google Play Store. It's the safest and most convenient, and you can generally rely on Google Play Protect to ensure that the apps you download are safe and won't harvest your data or take over your smartphone. However, that isn't quite the full picture.

If you've been following Android for a long time, then you've probably read the reports that come out every few months about how a couple of heavily-downloaded apps were spotted housing malware. While it's not typically the most popular apps that manage to privately shepherd malware to your smartphone, it's enough of a problem that users should be wary of downloading apps that aren't hugely popular.

Recently, a report from Russian cybersecurity firm Kaspersky's Secure List detailed how much it costs for different types of malware to function on the Play Store. For example, it costs anywhere from $2,000 to $20,000 to pay for a "loader" that injects an already existing app with malicious code while bypassing Google Play Protect. These apps are typically available on the Google Play Store with 5,000 downloads or more and pose no threat until a future update. So while Google promises security, you still need to be careful even when using the official Android app store.

The making of Google Play Store malware is a profitable industry

pixel-7-pro-vs-s23-ultra-xda-cameras--camera00596

Given the amount of money that can be made from malware being distributed on the Google Play Store, it's no wonder that there are many attempting to game the system. Play Protect can only do so much, and it seems to be the case that Play Protect is simply a lot better at recognizing known attacks rather than new ones. As Secure List notes, many of these attackers specifically advertise that they can bypass Google Play Protect.

The biggest issue comes from the fact that no app is really safe. Technically, any app can be purchased by somebody looking to load their own malicious code into it. At that point, the developer will then push an update to end users who unwittingly install it and compromise their own security. This is likely how major apps with over a million downloads don't get caught; they weren't malicious as they grew.

That means there's a fundamental flaw in the Google Play Store that malicious actors can abuse to purchase an already-thriving app to distribute malware. Google puts a lot of faith in Play Protect to help users, and while it seems to do a lot of good work, the fact that attackers can sell products that bypass it as a security mechanism shows that it's not as powerful as it may seem from the outside.

The best defense is to limit the apps you install

Google Pixel 7 Pro display

Because of how any app can be a potential attack vector, the best (and only) defense you can really rely on is not to install too many apps. The fewer apps you have installed, the less likely it is that one of your installed apps will be updated with malicious code. For what it's worth, most apps that update will require extra permissions to become malicious, and as Secure List notes, some of them may even try to get you to install another application to grant those additional permissions. This means they're easy to spot, but you do need to keep an eye out anyway.

Even more important is to install apps from developers that you can trust. Smaller, lesser-known developers are more likely to want to sell their apps to would-be attackers, whereas established developers will be more trustworthy. That's not to say that the opposite can't happen, but it's a game of probability, and there are few moves you can make that are surefire ways to protect yourself.

It's clear that Google needs to take further steps to protect users.

You can also limit the types of apps you install too. Secure List notes that "cryptocurrency trackers, financial apps, QR-code scanners and even dating apps" are the most egregious offenders. Most phones have a QR-code scanner built into the camera now, and if yours doesn't, Google Lens (which is pre-installed) supports QR-code scanning. As for cryptocurrency trackers, there are plenty of web-based alternatives that don't require an app.

However, shifting the diligence to the user's end can only go so far, and it's clear that Google needs to take further steps to protect users. Yearly Android updates like Android 14 often come with security updates. The recent iteration, specifically, enforces that apps use modern API levels so that they can't exploit loopholes that affect previous ones. Google Play Protect is going to be a core part of the defense though because not every phone gets an update to the latest version of Android. If yours can, then always keep it up to date.