Last week, a report from the CSIS Security Group pointed ZDNet (and the rest of us) to a very shady app on the Google Play Store called “Updates for Samsung.” It offered to provide system-level Android updates to phones — and, in fact, it did redistribute Samsung’s software, though it was essentially a scam to get you to pay money for said updates.
Today, after we inquired, Google told The Verge that the app violated its policies and has been “suspended.” It is unclear what specific policy Google cited and when it became aware of the app. Last week, the developer of the app, Updato, claimed to BleepingComputer that it was pulling the app to “remove the firmware service portion and non Google payments,” though it defended the app as a “convenience to our audience.”
In a statement, Google said that “Providing a safe and secure experience is a top priority and our Google Play developer policies strictly prohibit apps that are deceptive, malicious, or intended to abuse or misuse any network, device, or personal data. When violations are found, we take action.”
The app had racked up more than 10 million downloads, according to Google Play’s counter. That doesn’t necessarily mean 10 million people were duped, however. The app’s user rating was weirdly high for a scam (nearly four stars), so it’s possible that in addition to trying to scam money from users, it was also gaming the Google Play Store’s analytics. On the other hand, the app has been around for more than six years, so some large number of people have installed it.
It’s not surprising that people search the Play Store for updates; it is surprising that Google left this app up
The app preyed on users’ desire to get OS-level updates for Samsung Android phones, something that usually takes longer than users would like. CSIS’s Aleksejs Kuprins told ZDNet that a “user can feel a bit lost about the [system] update procedure. Hence [they] can make a mistake of going to the official application store to look for system update.”
It is indeed a mistake but not an unreasonable one. The app’s creators essentially took advantage of the frustration many Android users feel about waiting for updates. Even if that 10 million downloads number isn’t anywhere near correct, it’s still pretty bad that Google didn’t seem to know about the scam until it surfaced in media reports last week.
As 9to5Google noted last week, the Updates for Samsung app did have a “download firmware” section, but it pushed users to pay a subscription fee by throttling those downloads — which, again, were likely being redistributed illegally and were unnecessary in the first place because Samsung distributes updates for its phones free of charge. Technically, it isn’t malware, but it is scammy.
Now it’s gone, but, sadly, many Android users may have been taken in by it. We’ve asked Google for more details about the suspension and will update if we learn more.
Updated at 4PM ET to include Google’s statement.