Summary of SEWORKS’ Study of Vulnerable Android Apps on Google Play

As Security Week and other news outlets have reported this week, SEWORKS’ new study of Android apps on Google Play have found a large percentage to be vulnerable to decompiling — a process which reverse engineers an app to expose its source code, making it an easy target for malicious hacking exploits, including piracy, malware injection, and ad fraud. Here’s a summary of our reports’ key data:

• 85% of top 200 free apps on Google Play are decompilable, including top messaging/photo sharing services, casual games, music/video streaming services, and ironically, several antivirus apps.
• 83% of top 100 paid apps on Google Play are decompilable, including dozens of blockbuster sandbox/simulation and puzzle/adventure games.
• 87% of top 100 free game apps on Google Play are decompilable, including popular multiplayer, match-3, and real-time strategy titles, along with several games based on recent hit movies.
• 80% of top 100 free non-game apps on Google Play are decompilable, including a leading VOIP communication service and the app for a major online retail service.
• Overall, 95% of top 200 free Google Play apps can be reverse engineered, while 82% of the top 100 Google Play paid apps can be reverse engineered.

SEWORKS’ Jeffrey Yu is publishing a six part series on Medium, explaining the most common exploits apps are exposed to — part one is here.