Google's kibosh on self-updating Android apps isn't just about Facebook

Android-app updates must use official Google Play channels to prevent scammers from turning safe apps into malware

It's official: Developers who want to push out app updates to Android users need to go through the Google Play update mechanism, according to a new update to the Google Play Developer Program Policies.

Google's move here may have been prompted by Facebook pushing out a new build directly to Android users rather than going through Google Play. Or it may have been aimed at thwarting a recently discovered malware-spreading technique that uses a bogus ad network to transform seemingly secure apps into malware.

Droid-Life first posted the news about the change to change to Google Play's policy, which comprised adding the following sentence to the Dangerous Products section: "An app downloaded from Google Play may not modify, replace, or update its own APK binary code using any method other than Google Play's update mechanism."

Sure enough, about a month ago, the Facebook Android app started prompting users to install a new build, bypassing Google Play in the process. Some users panicked, uncertain if the update was legit. Facebook confirmed it was. Everyone slept soundly that night.

Although the Facebook app's self-update may have been innocuous, other self-updating apps from Google Play have proven to be harmful. Mobile security company Lookout recently discovered that cyber scammers had created a fake ad-delivery network, dubbed BadNews, that pushes updates to seemingly secure applications only after they've been installed.

Lookout reported finding 32 English and Russian apps that were part of the BadNews family, ranging from a Russian dictionary to popular games like Savage Knife, Bottle Shoot, True or False, and Stupid Birds. They had been collectively downloaded as many as 9 million times before the company alerted Google to the threat. Google responded by removing the apps and suspending the four associated developer accounts.

This story, "Google's kibosh on self-updating Android apps isn't just about Facebook ," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform