Research Paper showing Google is lying about the security risk on "sideloading"

[trcrsired]

Google Play Store Is Main Distributor of Malicious Apps, Study Reveals
Researchers found 67 percent of malicious app installs were via Google's official Android app store.

While downloading and file sharing are all less than 0.1% of malwares
https://www.pcmag.com/news/study-reveals-googles-play-store-is-main-distributor-of-malicious-apps

https://arxiv.org/pdf/[2010.10088](https://arxiv.org/pdf/2010.10088)

Also this:
Microsoft banned this malicious extension — Google promoted it anyway
https://www.windowscentral.com/software-apps/google-promoted-a-malicious-chrome-extension-after-microsoft-banned-it

[trcrsired]

[oliveiraleo]

Hello @trcrsired

The URL to the paper is pointing to its preprint (i.e. non-peer reviewed) version. The paper was peer reviewed and published in the 2021 IEEE Symposium on Security and Privacy (SP) and it's freely available in IEEE Xplore (see https://ieeexplore.ieee.org/abstract/document/9519429). The results, specially those you've mentioned from Table VII didn't change. Nonetheless, I believe this part of the conclusion seems relevant to KeepAndroidOpen context:

We reveal that the Play market is indeed the main app distribution vector of both benign and unwanted
apps, while, it has the best defenses against unwanted apps. Alternative markets distribute fewer apps but have higher
probability to be unwanted.

This conclusion is supported by the analysis draw from Table VIII:

On the better side of the spectrum, there are the Play market and Amazon’s market with the lowest IDRs of 0.6% and 0.7% respectively. This indicates that the security vetting process that the Play market applies to uploaded apps indeed has a positive effect on user security [2]. Compared to the Play market, the users of alternative markets have up to 19 times higher probability of encountering unwanted apps.

However, Table VIII also shows that open source / FLOSS software markets (e.g. F-Droid) were not prevalent on their study, as the top 10 markets the authors analyzed didn't include it.

IMO, these results won't help that much because on one hand, the PlayStore is the main vector of unwanted apps, but on the other, alternative markets have higher probability of serving unwanted apps. Perhaps the total number of installs directly influences the calculated probability? Maybe we should try to find any extra papers to support the claim or at least that include / focus on F-Droid, what do you think? If we are able to do so, then I think it would be worth suggesting that data to be included somewhere in the website.

Regards,
Leo.

[trcrsired]

Thanks for the thoughtful breakdown, Leo — I really appreciate the nuance you brought in. I wanted to add a few things from my side, especially around F‑Droid, scams, and some of the work I’ve been doing.

1. About F‑Droid and malware risk
   I don’t have hard numbers on F‑Droid either, but based on how the project works, I’d honestly expect the malware risk there to be much lower than on Play or any of the big alternative stores.

A few reasons why:

Everything on F‑Droid is FOSS, so the source code is open for anyone to inspect.
The repo is relatively small (around 6–7k apps), which naturally reduces the attack surface.
F‑Droid actually builds apps from source itself, so the usual Android malware tricks — repackaging, trojanized APKs, impersonation — basically don’t work.
And unlike Google, F‑Droid’s reputation is fragile. If they ever shipped something malicious, people would abandon it instantly. Google can survive repeated failures; F‑Droid can’t, so they have to be more careful.

So while the paper didn’t include F‑Droid because it wasn’t prevalent enough in their dataset, the security model alone strongly suggests it’s far safer than the markets that were analyzed.

2. On scams — you don’t need to install anything to get hit
   This is something I’ve unfortunately learned the hard way. I was almost scammed through my Pixel 9 using nothing but Google’s own preinstalled apps:

Phone by Google
Gmail by Google
University email hosted on Google
Scammer using a Gmail account

And Gmail didn’t even show me the sender’s full address, so I didn’t realize the email was coming from a random @gmail.com account instead of my professor’s university address. I almost sent $2,000 before Chase blocked the transfer. The university later confirmed it was a scam and blocked the sender. I filed reports with the police and identity‑theft authorities.

Local police also told me that Apple’s FaceTime is a major scam vector. Again — no sideloading, no third‑party apps, no sketchy websites. Just preinstalled software.

So when Google claims that “sideloading is dangerous,” it feels disingenuous. The biggest scam vectors are the apps they ship on every device.

3. On better security models (my PWA paper)
   I’m also working on a paper called Optional Walled Garden Through Progressive Web Apps. It proposes a security model that works across all major OSes — Windows, Linux, macOS, Android, iOS, FreeBSD, SerenityOS — and in all ways ends up being more secure than iOS’s locked‑down approach while keeps the openess of these operating systems.

https://github.com/trcrsired/optionalwalledgardenthroughpwa/blob/main/optionalpwawalledgarden.pdf

One of the big takeaways is that Google’s narrative about “sandboxing = security” is misleading. PWAs offer a cleaner, safer, more universal model — and ironically, Google and Apple are the ones actively trying to suppress them.

4. My FOSS PWA Store project
   I’m also building a GPLv3 PWA Store and I guarantee you it is much more secure and useful than f-droid:
   https://pwa-store-7x5.pages.dev

A few things worth noting:

It’s listed in the Microsoft Store, so it passed Microsoft’s security checks.
Every URL is independently verified through ScamAdviser.
PWAs + a curated store end up being a much safer distribution model than APKs.
Microsoft is actually doing a great job supporting PWAs (extensions on Android Edge, Store integration, Manifest V2 still supported).
Meanwhile Google refuses to add extensions to Android Chrome and keeps making life harder for PWAs.

If Google really cared about security, they’d be pushing PWAs, not undermining them.