They found that developers often store their secret keys in their app's code, similar to usernames/passwords info.
These can be then used by anyone to maliciously steal user data or resources from service providers such as Amazon and Facebook. These vulnerabilities can affect users even if they are not actively running the Android apps.
Google Play has more than one million apps and over 50 billion app downloads. "But no one reviews what gets put into Google Play, anyone can get a $25 (Rs. 1,475) account and upload whatever they want. Very little is known about what's there at an aggregate level," said Jason Nieh, professor of computer science at New York-based Columbia Engineering.
PlayDrone scales by simply adding more servers and is fast enough to crawl Google Play on a daily basis, downloading more than 1.1 million Android apps and decompiling over 880,000 free applications.
"We have been working closely with Google, Amazon, Facebook and other service providers to identify and notify customers at risk, and make the Google Play store a safer place," informed Nicolas Viennot, a research student at Columbia Engineering.
Google is now using the team's techniques to proactively scan apps for these problems to prevent this from happening again in the future, he added in a paper presented at the ACM SIGMETRICS conference.