La removing apps from Google Play This isn't a one-off or isolated incident: it's part of an ongoing strategy of cleanup and control with which Google tries to keep Android a relatively secure environment, despite the millions of apps uploaded and updated every year. What's not always visible from the outside is the extent of this vetting process and what types of apps end up being removed.
In recent years we have seen Removals due to advertising fraud, malware, junk apps, copyright violations, offensive content, and simple technical blunders that didn't meet the minimum quality standards. Furthermore, the company is reinforcing this process with artificial intelligence, new security features such as live threat detection, and an increasingly strict policy with repeat offenders. Let's review, case by case, the most striking examples and the signs that can help you know if something strange is happening on your phone.
Major ad fraud campaigns: SlopAds and IconAds
One of the most serious challenges for Google Play in recent times has been... massive advertising fraud campaigns orchestrated through seemingly legitimate appsTwo operations uncovered by HUMAN's Satori Threat Intelligence team stand out here: SlopAds and IconAds.
In the case of SlopAdsThe researchers identified 224 malicious applications hosted on the Play Store itselfnot in obscure repositories or websites of dubious reputation. Between them, they totaled more than 38 million downloads and were capable of generating around 2.300 billion ad requests per day, a colossal volume of fake impressions that would have meant losses of millions for advertisers.
The key to SlopAds was its silent and highly sophisticated modus operandiThe apps functioned normally after installation, but if the user clicked on a specific ad related to the campaign before downloading them, a kind of hidden "switch" was activated. Through Firebase Remote Config, the apps downloaded an encrypted configuration file with links to malicious modules and command and control servers.
That file led to a second phase: the The malware downloaded several seemingly innocent PNG imageswhich actually contained fragments of code from a module called "FatModule". Once recombined and executed, this component launched invisible WebViews on the device, as if they were game or news portals, and proceeded to displaying background advertising to generate fake clicks without the user seeing anything.
Google is done removing all apps involved in SlopAds HUMAN released the app and updated Play Protect to detect this pattern, ensuring that affected devices were protected. But HUMAN experts warned that the attackers had plans to scale the operation and are likely to return with similar variants, so the threat is far from over.
Something similar happened with IconAds, another far-reaching campaign that led Google to delete more than 350 fraudulent applications from the Play Store. In this case, cybercriminals relied on modern tactics such as stealing credentials from legitimate developers or buying existing apps with a good reputation, and then embed malicious code in later updates.
The apps linked to IconAds were experts at camouflage: modified their They either hid the icon or replaced it with other generic symbols. so that the user couldn't easily find them and, therefore, couldn't uninstall them. Meanwhile, they flooded the phone with aggressive advertising and remained active in the background.
A total of 352 related apps were detected, whose names seemed harmless (for example, combinations of generic words like "character.word.lexi.stat" or "com.animal.kitten.selfie"). Although Google removed them from the store and Play Protect blocks new installations, the already installed apps don't disappear on their own: The user must locate and delete them manuallyHuman Security maintains a public list of these apps so that anyone can check if they have any installed.
Security caps: numbers of blocked apps and the role of AI
Beyond specific cases, Google performs a massive and continuous cleanup of potentially harmful or low-quality applicationsIn just one recent year, around 2,3 million app submissions to the Play Store were blocked, halting their publication before they reached users.
In parallel, the company It closed approximately 158.000 developer accounts. for attempting to distribute spyware, malware, or other types of dangerous software. In previous exercises, the figures have been similar or even higher, with peaks of more than 2,28 million apps blocked and more than 300.000 developer profiles banned when repeated abuse or suspicious behavior patterns were detected.
A significant part of this effort is driven by the artificial intelligence that assists human reviewsAccording to Google's own data, over 90% of decisions to review potentially harmful apps are now supported by AI models, allowing for faster and more accurate action. This has helped to nip many threats in the bud before they even appear in the store.
Thanks to this filtering, the granting of permits that don't make sense has also been reduced: they have been avoided over 1,3 million apps with excessive permission requests that would have given unjustified access to sensitive data such as contacts, location, microphone or camera.
Even so, Google insists that Play Protect and automatic checks are not foolproofHundreds of billions of apps and updates are analyzed every day, and some threats manage to slip through. That's why the usual recommendations remain key: check reviews, don't install apps from unknown developers lightly, manage your apps And if anything unusual is detected, uninstall it as soon as possible.
New quality policies: goodbye to junk apps and broken apps
In addition to direct threats, Google wants to clean up its store of Junk apps that don't add value or don't even work properlyTo this end, it has updated its spam and minimum and broken functionality policies, with a specific implementation schedule starting in 2024.
Under the umbrella of the minimum functionalityThe Play Store will remove or downgrade all apps that simply display static text, a plain PDF, a single image, or whose content is so minimal that they offer little of use. Also targeted are... Basic apps with a single wallpaper, unchanged clones, or tools that literally do nothing except to serve as an excuse to sneak in advertising.
In the section broken functionalityThe target is apps that constantly close, freeze upon opening, fail to install properly, don't load, or are unresponsive to user actions. Until now, these apps could remain in the store with poor ratings and warnings, but Google's intention is Remove them directly to reduce frustration who downloads them from.
This strategy isn't entirely new: in 2020, very popular apps like Mitron o Remove China Apps for violating spam and minimum functionality policies, despite accumulating millions of downloads. The idea is to prioritize quality and security over popularity, even when apps have gone viral.
In parallel, Android 15 introduces the so-called live threat detectionThis feature uses AI to analyze, in real time, behavioral signals related to sensitive permissions and interaction between applications. If a typical malware pattern is detected, the system can flag the app as dangerous and even facilitate its removal from Google Play.
Malicious apps that hide or are difficult to delete
Another delicate case involves applications that, even though they are on the Play Store, use tricks to hide on the device or make its uninstallation as difficult as possibleThere have been several campaigns where the user believed the app was giving an installation error, but in reality it remained activated in the background.
When installing certain apps, a message appeared like this: "This app is incompatible with your device" Then Google Maps would open as if nothing had happened. Many users assumed it was simply incompatible and forgot about it, when in reality the program was already installed, but had removed its icon from the app drawer to go unnoticed.
In other variations, instead of disappearing, the app icon It would change to the typical download symbol or another generic iconso the user thought it was a system component and not a suspicious program. This ensured it remained on the phone for a long time, collecting data or displaying ads.
Among the applications detected in one of these waves were names like Flash On Calls & Messages, Rent QR Code, Image Magic, Generate Elves, SavExpense, QR Artifact o Find Your Phone, in addition to various background editing and image cropping tools (Auto Cut Out Pro, Background Cut Out, Photo Background, ImageProcessing, Auto Cut Out 2019, etc.).
Users began to Notify Google through comments and reports on the Play Storedetailing the strange behavior of these apps. Since the volume of applications and reviews is enormous, it can take some time for all complaints to be reviewed and for apps to be removed, so knowing the names involved beforehand and avoiding them is a good extra layer of defense.
Famous examples of apps removed due to content, rights, or fraud
Throughout Android's history, there have also been There have been many high-profile cases of apps being withdrawn for legal, ethical, or simply deceptive reasons.Some of them were very popular, which shows that it's not just small, unknown apps that are being purged.
A clear example is DurakA card game very popular in Russia and other countries of the former Soviet bloc. There was a specific version on Google Play that reached over five million downloads and turned out to be malicious: after installation, it began injecting malware. pop-ups in other apps to force clicks on ads and generate more revenue. When the fraudulent behavior was discovered, Google removed it. Today it's possible to download Durak games without this problem, but that case marked a turning point.
Another front has been that of the console emulatorsIn principle, emulators are not prohibited as such, and the store has examples for almost all classic machines. However, the emulator PSX4droid It was withdrawn following pressure from Sony, which at the time was promoting the Xperia Play and didn't look favorably upon an app that allowed users to play PlayStation titles without a controller. The use of the console's BIOS in the process didn't help matters either. Interestingly, other similar emulators like FPse have remained available.
Something similar happened with Snes9XOne of the best Super Nintendo emulators for Android. Nintendo reportedly pressured for its removal from the Play Store, but this hasn't stopped it from appearing. variants based on its code or alternative emulators like SuperRetro16, which even had to change its original name (SuperGNES) for trademark reasons.
Apps related to copyrighted content have also had a complicated life on Google Play. popcorn TimeThe app, which offered streaming of copyrighted movies and TV shows, tried to sneak into the official store, but was quickly removed for the obvious legal violation. The same thing happened with the official app of Grooveshark, a well-known service for listening to free music, which disappeared from the store long before the service closed, precisely because of the conflict with licensed music.
In the area of ​​offensive and discriminatory content, one of the most controversial examples was the app "Is my son gay?"A supposed test to "determine" if a child was gay. The app had no scientific basis whatsoever and conveyed a clearly homophobic message, so it was removed years ago, and no significant clones have appeared on the Play Store since.
There's also room for scams in the form of fake security apps. The case of Virus Shield He became especially famous: he showed promise Remove viruses and protect your mobile phone with a thorough scanHowever, its code, when analyzed, revealed that it did absolutely nothing useful. Basically, it ran a countdown and displayed an animation to simulate activity. After the deception was exposed, Google removed the app and closed the developer's account.
In the field of downloading content from YouTube, TubeMate For a time, it was one of the most popular apps for saving videos to devices. Google and YouTube weren't too happy that thousands of users could Download videos outside the official systemThis was further fueled by paid services that allowed limited downloads for offline viewing. Ultimately, TubeMate was removed from the Play Store, although it can still be obtained through other means.
Spyware and banking trojans: KoSpy, Anatsa and company
The campaigns of spyware and banking trojans These factors have forced Google to react with particularly forceful measures in recent months. A recent example is malware. KoSpy, detected by the security company Lookout and associated with the North Korean group APT37 (ScarCruft), with possible connections to the APT43 group (Kimsuky), specializing in international espionage.
KoSpy is capable of collect SMS messages, call logs, locations, audio recordings, and screenshotsThis makes any infected mobile phone a source of extremely sensitive information, both personally and professionally. Some of the apps containing the malware had managed to slip into the Play Store, forcing their immediate removal once the threat was discovered.
Something similar happens with Trojans like Anatsa (also known as TeaBot)which masquerades as legitimate apps and can steal banking credentials and intercept verification codes. In recent sweeps, Google has removed around 180 applications related to this type of malware, which totaled more than 56 million downloads among them all.
Although the most dangerous specimens are no longer available in the official store, many of them are offered in external repositories, unofficial websites, or links received via SMS, email, or messagingThat's why Google insists so much on keeping Play Protect enabled, avoiding the installation of apps from unknown sources, and Follow tips for installing safe and trusted apps outside of Google Play.
A report from University College London emphasizes that applications installed via sideloading are often request excessive permissions and better conceal their presenceThis poses a significant risk to those managing corporate or confidential data on their mobile devices. Therefore, in professional environments, it is almost always recommended to limit app installations to the Play Store and a catalog of apps supervised by the IT department.
Highly downloaded malicious apps: iRecorder, media players, game clones, and more
Another worrying aspect is that many apps have dubious intentions They have managed to accumulate hundreds of thousands or even millions of downloads before their true nature was detected. The cybersecurity company Kaspersky tallied some significant cases in 2023 alone, with over 600 million combined downloads on Google Play of apps with malicious behavior.
A striking example is iRecorder, which was launched in 2021 as a simple tool for recording the screen of the phone. For a while it behaved as promised, but in August 2022 it received an update that added malicious code. From then on, the app He recorded audio fragments of about 15 minutes every so often and sent them to the servers of their creators. By the time the behavior was uncovered, it had already exceeded 50.000 downloads.
In another campaign, they discovered 43 applications with generic names such as TV/DMB Player, Music Downloader, News or CalendarAmong other things. Its trick was to run in the background and display ads on the screen even when the user turned off their phone, with the consequent excessive battery and resource consumptionTogether they had over 2,5 million downloads.
The Minecraft clones They have also been a popular infection vector. Apps were detected that had accumulated around 35 million installations and that concealed the HiddenAds component, responsible for displaying hidden or unclosed ads. Although they seemed harmless at first glance, they ended up clearly impairing device performance and opening the door to other abuses.
In all these cases, the experts' recommendation is clear: invest in a reliable security solution that is able to detect this type of behavior, not blindly trusting something just because it's on Google Play, and before downloading, investigate the developer's history and reputation.
Signs that an app may be dangerous and how to act
All these examples share a series of symptoms that you can detect in your daily life. If you notice abnormal system slowness, excessive battery drain, or unexplained overheatingIt's a good idea to review the latest apps you've installed.
Other typical warning signs include sudden appearance of pop-up advertisementsStrange changes to your home screen, new icons you don't remember installing, or apps that won't uninstall normally. If you're unsure, it's a good idea to run a scan with a trusted Android antivirus and review your list of installed applications, looking for unfamiliar names.
If you find a suspicious app, the recommended course of action is uninstall it as soon as possible, revoke the permits granted (especially access to messages, calls, camera, microphone, and location) and change important passwords, particularly banking or critical service passwords. If you believe company information may have been compromised, it's best to inform the relevant department.
As basic preventative measures, in addition to maintaining Play Protect enabled and the operating system updatedIt's important to avoid unsecured public Wi-Fi networks, be wary of suspicious links received via messaging apps or emails, and read reviews and ratings from other users before installing anything. Although Google's filters have improved significantly, Self-monitoring remains the first line of defense.
All this effort by Google—from AI detection and mass removal of harmful apps to the expulsion of repeat offenders and the tightening of quality policies—has significantly raised the bar for the security and reliability of the Play Store, but it has also made it clear that attackers don't stop: they change tactics, buy legitimate accounts, disguise malware in updates, or rely on junk apps and clones to sneak in. Understanding these Common cases of app removal on Google Play, their reasons and warning signs It is, to this day, one of the best ways to navigate the Android store wisely and minimize the risk of ending up installing something that turns your phone into a data sieve or a machine for making fake clicks.
