Tales from the spam filter of an Android app developer

Publishing on Google Play requires you to publish a contact email address as well. Publishing a contact address means you get spam mail. The spam you get via the Play contact address is scary.

A typical “security advice” from Android experts Blogs where 90% of the posts are are covert advertising, disguised as device reviews is, that you should only install apps from Google Play because… … yeah, well, why exactly? Safety? Don’t make me laugh!

My spamfolder, heartily disagrees with the opinion that Play is a safe place. I regularly get mail from various shady companies that obviously crawl Play for developer contact addresses in order to spam them with “lucrative business proposals”.

Most of these proposals fall into the “integrate our SDK” category and come from analytics/advertising companies, trying to pitch some gimmick as the holy grail of turning DAUs (Daily Active Users) into cash. Sure thing. In most cases that means integrating some tracking bullshit in your app and earning fractions of a cent per active user, while taking the heat in case the tracking bullshit doesn’t comply with the Play TOS after all. Totally love it when these spammails are full of tracking code themselves.

Then there is the “Sell us your app” category, aimed at app developers who have tried all of the “integrate our SDK” proposals already and, miraculously, managed to neither get rich nor banned from Play. The offer always reads as if even the most unsuccessful app could still be converted into cash, but on closer inspection, you are actually just offered peanuts per active user (usually 10 to 20 cents). Great! a few hundred bucks for something, I worked on for months? Also, I not only get ripped off, but my reputation is also likely going to suffer, once they start integrating their SDK? Sign me up… NOT!

The third and final category can only be summarized as “creative”. That’s where stuff gets (un)real as the bandwidth of offers ranges from obviously amoral to potentially illegal. It’s where the spammer suggests ad alternatives like mining Bitcoin or, my personal favourite, wants to turn the user’s device into a network relay for a proxy/VPN service.

So, tell me, what does this say for the trustworthiness of the Play Store?

Google build the Android App ecosystem entirely around the “free with ads” model. Even if we were to assume that adware is not spyware (and therefore, by extension malware), we’d still have the the problem that the ad model only works for apps with wide-coverage and a lot of screen time. Only a tiny fraction of the apps can even hope to archive that. What will developers who can’t monetize their apps likely do, when the devil comes knocking at their door with an offer to buy their users souls? Right!

As long as App Developers can’t make money from their work, they are an easy target for those shithead companies. Automatically crawling Google Play for contact addresses of fairly obscure apps and spamming their developers is actually child’s play. Some will bite. For the companies it is pretty much risk free to (get) their shady SDK deploy(ed). In case the app gets banned from Play afterwards, it’s not a loss. There will always be more developers ready to sell out. Even if Google goes berserk with the ban hammer. It’ll only ever hit strawman.

TLDR: Everyone claiming that Play is a safe source for apps is a blithering idiot! Appstore apps are ticking timebombs at best. If you are fond of a particular app, better keep a backup of the APK file. Raccoon can help you there.