Skip to main content
Log in

Circumventing Google Play vetting policies: a stealthy cyberattack that uses incremental updates to breach privacy

  • Original Research
  • Published:
Journal of Ambient Intelligence and Humanized Computing Aims and scope Submit manuscript


Today digital technologies are evolving to accommodate small businesses and young entrepreneurs by reducing their time-to-market while encouraging rapid innovation in mobile, Extended Reality (XR), Internet of Things (IoT), cloud, and edge devices. The leading operating system Android typically takes one to a few days to perform application vetting and go to production by leveraging code analysis technologies in their Play Protect anti-malware program. However, developers with malicious intent are looking to circumvent this detection mechanism by exploiting Google’s relatively lenient trust policies that allow for package distribution and feature updates. This paper develops a proof-of-concept malware that exploits customers’ trust and Google’s policies to circumvent popular voice search applications. Our results show that attackers can initially circumvent Play Protect by uploading benign applications to build trust and then add malicious feature updates incrementally to distribute highly intrusive malware into user systems. This malware can scan and collect private user data from the device and exfiltrate it to the command-and-control server. The contributions are three-fold. (1) A proof-of-concept stealthy malware and publishing mechanism has developed that highlights the relative ease with which Google Play Protect policies may be subverted. (2) a comprehensive evaluation has been performed using major publicly available anti-malware solutions. (3) Recommendations and policies have been suggested to prevent this attack and ensure users’ privacy concerns (IMUTA is a novel attack in which malicious functionality is slowly added to a benign application through updates. This attack evades malware detection tools and exploits user trust. The attack can be launched against any application distribution platform like the Play Store).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Data Availability

Data sources are highlighted in the paper.


  1. Firebase®. It is a cloud storage platform launched by Google and is considered the most trusted platform for storage, analytics, and back-end services for mobile and web applications.


  • Ahmed W, Rasool A, Javed AR, Kumar N, Gadekallu TR, Jalil Z, Kryvinska N (2021) Security in next generation mobile payment systems: a comprehensive survey. IEEE Access

  • Alazab M, Tang M (2019) Deep learning applications for cyber security. Springer, Cham

    Book  Google Scholar 

  • Allix K, Jerome Q, Bissyande TF, Klein J, State R, Traon YL (2014) A Forensic Analysis of Android Malware. In: 38th Annual Computer Software and Applications Conference, IEEE, pp 384–393, 10.1109/COMPSAC.2014.61, Accessed 22 July 2022

  • Buildfire (2022) Ultimate mobile app stores list., last checked on Jan 7, 2022

  • Cao M (2022) Understanding the characteristics of invasive malware from the google play store. PhD thesis, University of British Columbia

  • Fatima M, Abbas H, Yaqoob T, Shafqat N, Ahmad Z, Zeeshan R, Muhammad Z, Rana T, Mussiraliyeva S (2021) A survey on common criteria (cc) evaluating schemes for security assessment of it products. PeerJ Comput Sci 7:e701

    Article  Google Scholar 

  • Google (2018) Android Security and Privacy 2018 Year In Review. Report Dec, 2020

  • Hutchinson S, Zhou B, Karabiyik U (2019) Are we really protected? An investigation into the play protect service. In: 2019 IEEE International Conference on Big Data (Big Data), pp 4997–5004, 10.1109/BigData47090.2019.9006100

  • Imtiaz SI, Imtiaz SI, ur Rehman S, Javed AR, Jalil Z, Liu X, Alnumay WS (2021) Deepamd: detection and identification of android malware using high-efficient deep artificial neural network. Future Gen Comput Syst 115:844–856

    Article  Google Scholar 

  • Javed AR, Beg MO, Asim M, Baker T, Al-Bayatti AH (2020) Alphalogger: Detecting motion-based side-channel attack using smartphone keystrokes. J Ambient Intell Human Comput. pp 1–14

  • Javed AR, Rehman SU, Khan MU, Alazab M, Khan HU (2021) Betalogger: smartphone sensor-based side-channel attack detection and text inference using language modeling and dense multilayer neural network. Trans Asian Low-Resour Lang Inf Process 20(5):1–17

    Article  Google Scholar 

  • Javed AR, Shahzad F, ur Rehman S, Zikria YB, Razzak I, Jalil Z, Xu G (2022) Future smart cities requirements, emerging technologies, applications, challenges, and future aspects. Cities 129:103794

    Article  Google Scholar 

  • Karunanayake N, Rajasegaran J, Gunathillake A, Seneviratne S, Jourjon G (2022) A multi-modal neural embeddings approach for detecting mobile counterfeit apps: A case study on google play store. IEEE Trans Mob Comput 21(1):16–30.

    Article  Google Scholar 

  • Kumar A, Sharma A, Bharti V, Singh AK, Singh SK, Saxena S (2021) Mobihisnet: a lightweight cnn in mobile edge computing for histopathological image classification. IEEE Internet Things J 8(24):17778–17789

    Article  Google Scholar 

  • Lee W (2019) SeqDroid: obfuscated android malware detection using stacked convolutional. In: deep learning applications for cyber security. Springer International Publishing, Cham, pp 197–210,,

  • Liyanage M, Ahmed I, Okwuibe J, Ylianttila M, Kabir H, Santos JL, Kantola R, Perez OL, Itzazelaia MU, De Oca EM (2017) Enhancing security of software defined mobile networks. IEEE Access 5:9422–9438

    Article  Google Scholar 

  • Lu J, Issaranon T, Forsyth D (2017) Safetynet: Detecting and rejecting adversarial examples robustly. In: Proceedings of the IEEE international conference on computer vision. pp 446–454

  • McCarty B (2005) SELinux. O’Reilly Japan

  • Mercaldo F, Nardone V, Santone A, Visaggio CA (2016) Download malware? no, thanks: How formal methods can block update attacks. In: Proceedings of the 4th FME Workshop on Formal Methods in Software Engineering, Association for Computing Machinery, New York, NY, USA, FormaliSE ’16, p 22-28,

  • Mirza S, Abbas H, Shahid WB, Shafqat N, Fugini M, Iqbal Z, Muhammad Z (2021) A malware evasion technique for auditing android anti-malware solutions. In: 2021 IEEE 30th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), IEEE. pp 125–130

  • Montano IH, de la Torre Díez I, López-Izquierdo R, Villamor MAC, Martín-Rodríguez F (2021) Mobile triage applications: a systematic review in literature and play store. J Med Syst 45(9):1–11

    Article  Google Scholar 

  • Muhammad Z, Amjad MF, Abbas H, Iqbal Z, Azhar A, Yasin A, Iesar H (2021) A systematic evaluation of android anti-malware tools for detection of contemporary malware. In: 2021 IEEE 19th International Conference on Embedded and Ubiquitous Computing (EUC), IEEE. pp 117–124

  • Narayanan A, Chandramohan M, Chen L, Liu Y (2017) Context-aware, adaptive, and scalable android malware detection through online learning. IEEE Trans Emerg Topics Comput Intell. 1(3):157–175.

    Article  Google Scholar 

  • Ranaweera P, Jurcut AD, Liyanage M (2019) Realizing multi-access edge computing feasibility: security perspective. In: 2019 IEEE Conference on Standards for Communications and Networking (CSCN), IEEE. pp 1–7

  • Rasool A, Javed AR, Jalil Z (2021) Sha-amd: sample-efficient hyper-tuned approach for detection and identification of android malware family and category. Int J Ad Hoc Ubiquitous Comput 38(1–3):172–183

    Article  Google Scholar 

  • Rehman A, Razzak I, Xu G (2022) Federated learning for privacy preservation of healthcare data from smartphone-based side-channel attacks. IEEE J Biomed Health Inform

  • Renjith G, Aji S (2022) Unveiling the security vulnerabilities in android operating system. In: Proceedings of Second International Conference on Sustainable Expert Systems. Springer, Cham. pp 89–100

  • Report AS (2022) Google play protects 2.5 billion active devices., last checked on Jan 4, 2022

  • Roy AK, Nath K, Srivastava G, Gadekallu TR, Lin JCW (2022) Privacy preserving multi-party key exchange protocol for wireless mesh networks. Sensors 22(5):1958

    Article  Google Scholar 

  • Saracino A, Sgandurra D, Dini G, Martinelli F (2018) MADAM. IEEE Trans Depend Secure Comput. 15(1):83–97.

    Article  Google Scholar 

  • Shalaginov A (2021) Review of the malware categorization in the era of changing landscape. Malware Analysis Using Artificial Intelligence. Springer, Cham

    Google Scholar 

  • Sharma S, Khanna K, Ahlawat P (2022) Survey for detection and analysis of android malware (s) through artificial intelligence techniques. Cyber security and digital forensics. Springer, Cham, pp 321–337

    Chapter  Google Scholar 

  • Srivastava G, Jhaveri RH, Bhattacharya S, Pandya S, Maddikunta PKR, Yenduri G, Hall JG, Alazab M, Gadekallu TR, et al. (2022) Xai for cybersecurity: State of the art, challenges, open issues and future directions. arXiv preprint arXiv:2206.03585

  • Stonehem B (2016) Google android firebase: learning the basics, vol 1. First Rank Publishing

  • Tian K, Yao D, Ryder BG, Tan G, Peng G (2020) Detection of repackaged android malware with code-heterogeneity. IEEE Trans Depend Secure Comput 17(01):64–77.

    Article  Google Scholar 

  • Usman N, Usman S, Khan F, Jan MA, Sajid A, Alazab M, Watters P (2021) Intelligent dynamic malware detection using machine learning in ip reputation for forensics data analytics. Future Gen Comput Syst 118:124–141

    Article  Google Scholar 

  • Viennot N, Garcia E, Nieh J (2014) A measurement study of google play. In: The 2014 ACM international conference on Measurement and modeling of computer systems - SIGMETRICS ’14, ACM Press, Austin, Texas, USA, pp 221–233,,

  • Zhao J, Cao B, Liu X, Yang P, Singh AK, Lv Z (2022) Multiobjective multiple mobile sink scheduling via evolutionary fuzzy rough neural network for wireless sensor networks. IEEE Trans Fuzzy Syst

Download references


This research is funded by Sheila and Robert Challey Institute for Global Innovation and Growth, North Dakota State University (NDSU), USA.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Thippa Reddy Gadekallu.

Ethics declarations

Conflict of interest/Conflict of interest

The authors share no conflict of interests.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Muhammad, Z., Amjad, F., Iqbal, Z. et al. Circumventing Google Play vetting policies: a stealthy cyberattack that uses incremental updates to breach privacy. J Ambient Intell Human Comput 14, 4785–4794 (2023).

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: