Google Play Will Enforce Business Checks To Curb Malware Submissions
Google is fighting back against the constant invasion of malware on Google Play by requiring all new developer accounts registering as an organization to provide a valid D-U-N-S number before submitting Apps.
The new measure aims to enhance the platform's security and trustworthiness and is part of the effort to curb malware submissions from new accounts.
Typically, malicious apps on Google Play are submitted for review without dangerous code or payloads, which are then fetched later via an update in the post-installation phase.
The offending apps are reported and removed from the Play Store, and their developers are banned. However, it is relatively easy for them to create a new account and submit the same dangerous apps under a new name and theme.
To deal with this loophole, starting on August 31st, 2023, Google will require all developers creating new Play Console accounts to provide a valid D-U-N-S number.
D-U-N-S (Data Universal Numbering System) are unique nine-digit identifiers assigned by commercial data and business analytics firm Dun & Bradstreet to unique businesses.
Organizations requesting a D-U-N-S number from Dun & Bradstreet have to submit several documents that help verify the provided information, and the process can take up to 30 days to complete.
D-U-N-S is a globally recognized proprietary standard used by the United States government, the European Commission, the United Nations, and Apple, and it's considered trustworthy.
By requiring a D-U-N-S number from software developers, Google will make it much harder for publishers of malicious apps to re-register on the app store, as they would have to set up a new company to return to the platform.
In addition to the above, Google will change the "Contact details" section of app entries on the Play Store, renaming it to "App support" and adding more information about the developer.
Previously, this section hosted the developer's name, email, and location, but now it will also include the company name, complete office address, website URL, and phone number.
This change will enhance transparency, empowering users with a clearer understanding of the company responsible for each app.
Google says it will regularly verify information provided by app developers for inclusion in that section.
If they find any inconsistencies, they will suspend the account's ability to publish apps on the Play Store, eventually removing existing apps after a specified period.
Google Play Updates Its Policies Permitting Blockchain Games And Apps
Missed the GamesBeat Summit excitement? Don't worry! Tune in now to catch all of the live and virtual sessions here.
Google Play has updated its store policy to allow for new ways to transact blockchain-based digital content within apps and games.
The move comes as a response to the growing interest in non-fungible tokens (NFTs) and other Tokenized Digital Assets, which offer unique and engaging experiences for users. Google signaled this was coming earlier this year, and it is now working with Web3 game makers such as Mythical Games, said Joseph Mills, group product manager for Google Play, in a statement.
While NFT games have had safe harbor on the Epic Games Store, others such as Apple, Google and Steam have prevented developers from selling such games, unless they had a very big Web2 component, meaning players could play a free-to-play game and pay for it with a credit card rather than cryptocurrency. With this change, Google Play will expose blockchain games to the masses. In the past, blockchain game companies had to hope for the best distributing their games on the open web — which presented them with considerable distribution problems as the app stores are where the players are.
Mythical Games said its NFL Rivals Web2/Web3 game hit nearly a million downloads in June. The Web2 and Web3 requirements ensure that platform owners such as Google Play can still collect their 30% fee on transactions.
As part of the new policy, developers must be transparent with users about tokenized digital assets, Mills said. If an app or game sells or enables users to earn tokenized digital assets, developers must declare this clearly. Additionally, developers may not promote or glamorize any potential earnings from playing or trading activities.
This will obviously force developers to downplay the "play-to-earn" game descriptions that were popular starting in 2021 when the NFT boom exploded and money poured into blockchain games. With the crypto winter, the NFT price crash and other scams, the notion of making a lot of money as an NFT speculator has become a lot less attractive in recent months.
Now, many Web3 game companies have opted to highlight other benefits, such as fun game play, player ownership and possible voting rights. Google pointed to "creative in-app experiences" that innovations can deliver.
"Like with any emerging technology, we must balance innovation with our responsibility to protect users. So, we've spoken with developers about responsibly supporting those opportunities while continuing to provide a safe, transparent, and trusted experience for everyone," Mills said.
While tokenized assets are meant to build more enriched, immersive experiences, Google Play said it is also emphasizing the importance of maintaining user trust. As such, apps that have not met gambling eligibility requirements cannot accept money for a chance to win assets of unknown real-world monetary value, including NFTs. (Google typically frowns on gambling, which presents various regulatory risks).
In line with Google Play's Real-Money Gambling, Games, and Contests policy, apps that have not met gambling eligibility requirements cannot accept money for a chance to win assets of unknown real-world monetary value, including NFTs. For example, developers should not offer purchases where the value of the NFT users receive is not clear at the time of purchase. This includes, but is not limited to, offering mechanisms to receive randomized blockchain-based items from a purchase such as "loot boxes," Mills said.
Working with developers Google PlayGoogle said the policy update was developed in close consultation with app and game developers and incorporates their feedback on how Google Play can continue to support their businesses. The goal is to create a level playing field that promotes user trust and responsible usage of blockchain technology.
"We really appreciate Google's partnership in this collaborative effort to bring about innovation in this space and move these new economies forward. We think these new policies are steps forward for both players and developers alike and will positively impact the adoption of new technology while also protecting consumers," said John Linden, CEO of Mythical Games, in a statement.
Reddit also offered a comment on the policy change.
"At Reddit we believe in empowering our users by providing transparency and a responsible approach to blockchain-based digital content – like our Collectible Avatars," said Matt Williamson, senior engineering manager at Reddit, in a statement. "We partnered with Google to help update their policy, aimed at creating a level playing field that promotes user trust, and responsible usage of blockchain technology. By setting clear guidelines, we can ensure that our users make informed decisions while enjoying immersive experiences."
Google Play said it expects users to begin seeing these in-app and game experiences later this summer, as a select group of developers will be help test and iterate the new user experience. The policy rolls out in full later this year to all developers on Google Play. Ownership of NFTs can unlock content in-app, whether a user bought the NFT through a Google Play app, or already owned it.
Looking ahead Nitro Nation World Tour by Mythical Games.The policy update is just the first step in Google Play's efforts to support blockchain-based app experiences. The company is also in talks with industry partners to further improve its support in areas such as secondary markets.
Overall, Google Play said the policy update is a positive development for developers looking to create engaging and immersive experiences through blockchain technology. As the technology continues to evolve, it's important that platforms like Google Play continue to support innovation while maintaining user trust and safety.
"We will continue to engage with developers to understand their challenges and opportunities — and how we can best support them in building sustainable businesses using blockchain technology," Mills said. "As a next step, we're talking to industry partners about further improving our support of blockchain-based app experiences, including in areas such as secondary markets."
I've included some of the formal language below:
Formal blockchain-based content policy languageAs blockchain technology continues to rapidly evolve, we aim to provide a platform for developers to thrive with innovation and build more enriched, immersive experiences for users. For the purposes of this policy, we consider blockchain-based content to be tokenized digital assets secured on a blockchain. If your app contains blockchain-based content, you must comply with these requirements.
Cryptocurrency Exchanges and Software WalletsThe purchase, holding, or exchange of cryptocurrencies should be conducted through certified services in regulated jurisdictions.
You must also comply with applicable regulations for any region or country that your app targets and avoid publishing your app where your products and services are prohibited. Google Play may request you to provide additional information or documents regarding your compliance with any applicable regulatory or licensing requirements.
Cryptomining[Note: This part of policy is not new / it was moved from the Financial Services section to this newly created Blockchain-based content policy section]
We don't allow apps that mine cryptocurrency on devices. We permit apps that remotely manage the mining of cryptocurrency.
Transparency Requirements for Distributing Tokenized Digital AssetsIf your app sells or enables users to earn Tokenized Digital Assets, you must declare this via the Financial Features declaration form on the App Content page.
When creating an in-app product, you must indicate in the product details that it represents a Tokenized Digital Asset. See "Create an in-app product" for additional guidance.
You may not promote or glamorize any potential earning from playing or trading activities.
Additional Requirements for NFT GamificationPursuant to Google Play's Real-Money Gambling, Games, and Contests policy, Gambling Apps that integrate tokenized digital assets, such as NFTs, should complete the application process.
For all other apps which do not meet the eligibility requirements for gambling apps and are not included in "Other Real-Money Game Pilots," anything of monetary value should not be accepted in exchange for a chance to obtain an NFT of unknown value. NFTs bought by users should be consumed or used in the game to enhance a user's experience or aid users in advancing the game. NFTs must not be used to wager or stake in exchange for the opportunity to win prizes of real-world monetary value (including other NFTs).
Examples of violationsApps that sell bundles of NFTs without disclosing the specific contents and values of the NFTs.
Pay-to-play social casino games, such as slot machines, that reward NFTs.
GamesBeat's creed when covering the game industry is "where passion meets business." What does this mean? We want to tell you how the news matters to you -- not just as a decision-maker at a game studio, but also as a fan of games. Whether you read our articles, listen to our podcasts, or watch our videos, GamesBeat will help you learn about the industry and enjoy engaging with it. Discover our Briefings.
Apps With 1.5M Installs On Google Play Send Your Data To China
Security researchers discovered two malicious file management applications on Google Play with a collective installation count of over 1.5 million that collected excessive user data that goes well beyond what's needed to offer the promised functionality.
The apps, both from the same publisher, can launch without any interaction from the user to steal sensitive data and send it to servers in China.
Despite being reported to Google, the two apps continue to be available in Google Play at the time of publishing.
File Recovery and Data Recovery, identified as "com.Spot.Music.Filedate" on devices, has at least 1 million installs. The install count for File Manager reads at least 500,000 and it can be identified on devices as "com.File.Box.Master.Gkd."
The two apps were discovered by the behavioral analysis engine from mobile security solutions company Pradeo and their description states that they do not collect any user data from the device on the Data Safety section of their Google Play entry
However, Pradeo found that the mobile apps exfiltrate the following data from the device:
While the apps might have a legitimate reason to collect some of the above to ensure good performance and compatibility, much of the collected data is not necessary for file management or data recovery functions. To make matters worse, this data is collected secretly and without gaining the user's consent.
Pradeo adds that the two apps hide their home screen icons to make it more difficult to find and remove them. They can also abuse the permissions the user approves during installation to restart the device and launch in the background.
It is likely that the publisher used emulators or install farms to bloat popularity and make their products appear more trustworthy, Pradeo speculates.
This theory is supported by the fact that the number of user reviews on the Play store is way too small compared to the reported userbase.
It is always recommended to check user reviews before installing an app, pay attention to the requested permissions during app installation, and only trust software published by reputable developers.
Update 7/6/23 5:51 PM ET: Google shared the following statement with BleepingComputer and said that they removed the apps from Google Play.
"These apps have been removed from Google Play. Google Play Protect protects users from apps known to contain this malware on Android devices with Google Play Services, even when those apps come from other sources outside of Play."
