Is it Adware? Antivirus Vendors Say Yes, Google Says No

It's totally true that we'd have a lot fewer free games and other apps if developers couldn't recoup some of their costs by displaying advertisements. It's equally true that some ad-supported programs and ad networks go way, way beyond what's reasonable in pushing ads and harvesting personal information. Some will even change your wallpaper, or tweak your ringtone so you hear an ad when you get a call. Mobile security vendor Lookout threw down the gauntlet a couple months ago, calling out ad networks with bad behavior. A new study by Zscaler shows that quite a few other vendors agree. The one holdout? Google. Researchers at Zscaler took the top 300 apps in each Google Play category and ran them through the VirusTotal service. When you submit a file, VIrusTotal runs the file past over 40 antivirus scanners and reports how many (and which) identified it as some kind of malware. On this basis, the researchers determined that 22 percent of the apps were flagged as adware by at least one vendor.
Many Voices
The report goes on to analyze just how many antivirus vendors flagged each of the over 1,800 alleged adware products. They broke the apps down into four groups based on how many products called them malicious: fewer than five, five to ten, ten to 15, and 15 or over. The 15 or over group comprised just 2 percent of the total, while 23 percent fell in the ten to 15 range. The majority of the products, 53 percent, got zinged by five to ten products. That "fewer than five" category? Only 22 percent of the apps matched it. Clearly we're not talking about a lone vendor with a vendetta against advertising. Five or more antivirus vendors agreed on the adware designation for the vast majority of the apps involved.
The report continues with a detailed analysis of one sample, and links to the VirusTotal analysis for all of those that were flagged as adware by more than 15 vendors. You can see an example here. Different vendors give it different names, from UnclassifiedMalware to Airpush to Plankton, but 21 of the 46 antivirus scanners identified it as malicious.
Conflicting Aims
"It is in the best interests of Google to appease advertising companies," notes the report. "Google has plenty of incentive to allow apps with aggressive advertising practices. AV vendors on the other hand have no such incentive but are instead under pressure to show that they are adding value by identifying malicious/suspicious/unwanted content."
The report goes on to point out that Apple has taken a very different approach. "[Apple has] shown that they're willing to sacrifice advertising revenue to provide a positive user experience, even restricting the ability of advertisers to track device IDs and MAC addresses." You'll want to read the full report, which concludes with a list of the "intrusive behaviors" that Zscaler's team feel serve to define adware. Not surprisingly, this list agrees closely with Lookout's definition.
There's one more wrinkle to this story; Google acquired VirusTotal last year. At the time, the word was that VIrusTotal would continue to operate independently from Google. Should we be worried about Google interfering with the way VirusTotal handles Android apps? Of course not! After all, the Google motto is "Don't be evil."