When downloading an app from the Google Play store it’s likely that you are oblivious, unless you’re an app developer, to the Google Developer Policy that needs to be adhered to in order to get the app listed and made available for download.

The policies are well-documented, publicly available documents and are there to protect users and developers alike. Restricted content, intellectual property, privacy, security, deception and monetization are among the many topics covered.

As a diligent cybersecurity company, ESET frequently notifies Google’s policy team when it identifies apps that have malicious intent, so they can be removed. However, bad apps slip through the automated compliance processes by using evasion techniques. Our research into malicious apps is often published here on WeLiveSecurity. A few recent examples include Banking Trojans and fake finance apps.

We proudly consider ourselves a contributor to keeping users safe from the malicious endeavors of cybercriminals flouting Google Play Developer Policy. This is also demonstrated by our partnership that provides Google with the technology to protect Chrome users against unwanted software.

As with all policies, they need to be flexible to change and adapt, taking into account new legislation and acceptable behavior; they also need to be modified to fight against bad developers finding methods to do things that are not in the spirit of the policy.

A recent change to the Permissions Policy has caused some of our own security-focused apps to fall foul of the policy. This specific issue refers to the use of the SMS permission group, the ability to read, write, send and receive SMS messages by an app. The new policy states that an app is required to be the default SMS or assistant handler on the device to be granted these permissions. So only an app that’s replacing the default SMS messaging abilities on the device can be granted the permissions.

The change was made to protect user privacy and to stop apps that misuse the access to SMS messages, abusing the user’s privacy. On first reading it seems…