My dad filled his phone with random PDF apps and I blame Google

One spring afternoon, I received a call from my mom. My dad was facing an issue with his phone, specifically with a PDF that wouldn’t open. Despite the native office suite supporting PDFs on his mid-range HONOR, the document just refused to load. During his admirable but misguided attempts to fix the issue, he downloaded four random yet similarly named PDF apps from the Play Store. However, as I would come to discover, he hadn’t downloaded these apps deliberately — he had been conned into it.

From bloatware to deceitful ads to app installations

Downloading these apps didn’t solve his issue, though. Even with these apps and the preinstalled WPS Office at his disposal, the PDF still wouldn’t open. At this point, I thought the document itself might be at fault. Either way, this wasn’t a simple issue, made more complicated by trying to diagnose over the phone.

Nevertheless, I took it step by step, starting with the usual troubleshooting suggestions. I told them to uninstall the apps and instead download a well-established app, like Adobe Reader. Even if it’s not the best solution, I know that it works, and it would be difficult to mistake it for something else. This seemed to work for a while.

A few days later, my dad calls me with the same problem. However, this time he mentioned something significant. He’d been receiving an alert message after each attempt: “Unable to read file. Try updating your PDF application,” with an “Update now” button attached. You can see the image below. That sounds pretty official to an unsuspecting user, right? Almost like a system alert with instructions that, if followed, would fix the issue, hmm? Well, no.

As you may have noticed, the alert was an advertisement, and upon realizing this, everything fell into place for me.

Every time my dad tried to open a PDF, WPS Office’s splash screen would appear, displaying the ad disguised as a system message, as outlined above. He’d tap it, and the ad would direct him to a new PDF reader; he’d then download it, hoping it would fix his problem. He thought he was doing the right thing, but instead, he was being misled.

Ironically, what solved the issue for good was uninstalling Office on my father’s phone. After this, the splash screen that displayed the “alert” no longer appeared, and PDFs opened without issue.

Fortunately, this ordeal ultimately proved to be a valuable learning experience. There was no stolen info or financial repercussions, and my dad’s phone functions normally to this day. However, I was pretty upset.

Imparting blame here is difficult. Yes, my dad had the agency here, but I can’t explicitly blame a user who isn’t familiar with Android’s pitfalls for falling into one. According to a recent Malwarebytes report, only 15% of users it sampled feel confident about identifying scams. I don’t need to reiterate that that’s terrifyingly low.

I’m well aware that managing apps and ads across millions of devices can be a challenging task. Suppressing malicious content is like playing digital whack-a-mole. Nevertheless, I was angry at WPS Office for placing this ad. I was livid at HONOR for including a subpar default app that served up deceitful ads, much like day-old dining hall food. But the company I was most aggrieved with is Google.

It’s far too easy to fall for scam ads on Android for Android OEMs to install low-quality apps on their devices and for cookie-cutter apps to proliferate and thrive on the Play Store. This is nothing new, though.

For more than a decade, the Google Play Store has been a haven for shovelware, as demonstrated by the nebulous, cookie-cutter PDF products my dad downloaded.

According to a recent report from security firm Zscaler (via BleepingComputer), Google’s app repository still contains hundreds of malicious apps that harbor trojans and backdoors, affecting users annually. While the company is planning to restrict unverified developers on Android in the hopes that this will shore up the platform, the call is clearly coming from inside the house. The Play Store and the apps on it need to be viewed with a far stronger microscope.

To be as balanced as possible, it’s not as if Google sits idly by as malicious apps walk past it. The company actively investigates its repository and culls malicious apps. The most recent notable instance of this was in March when it removed over 180 apps with a combined 56 million downloads, all found to be complicit in advertisement fraud. That’s great, but unfortunately, the same decade-long problem persists, and Google’s efforts don’t seem to be making a significant impact.

Even if Google can’t protect every single user from nefarious apps, it can at least make the Play Store safer and easier for more casual users. Even as someone who trawls it for a living, I find its UI is overwhelming and often confusing; its search features misplace and misdirect, and its ads, disguised as genuine app listings, dupe users into downloading apps they weren’t even looking for.

While the PDF apps my dad downloaded didn’t appear inherently dangerous, they absolutely could’ve been. This highlights the other major issue at play: deceitful advertising practices.

Ads are not inherently evil. When subscription fees and one-time payments are frowned upon, ads offer developers a steady way of accruing a living. Advertising is a necessity. However, when this requirement is abused by bad actors who push scam content to unsuspecting users, a line must be drawn. Blocking ads is fast becoming a necessary security measure.

Annoyingly, this wouldn’t be an issue if Google treated its advertising policies as rules rather than guidelines. On its public-facing app ad requirements page, Google notes that ads in Android apps “should prompt the user with the expected action whenever options are confusing or ambiguous.” The apparent system alert that my dad encountered did nothing of the sort.

Finally, let’s not forget the other elephant in the room: bloatware. My dad isn’t app-savvy, nor are millions of Android users. He’ll use whatever app is readily available, even if the preinstalled option serves dodgy ads. Notably, it took me some time to determine where the ad was originating. You’d think that default apps installed on a phone you just purchased wouldn’t lead you astray.

OEMs should be held to higher standards and ensure that the apps made available out of the box adhere to Google’s advertising policies. Google could certainly exert more pressure on OEMs in this regard as well.

I’d be naive to suggest that Google and OEMs could fix Android overnight. If anything, these issues have persisted for over a decade and have worsened over time. Experienced Android users may be well aware of the pitfalls lying in wait on Android, but they’re hidden from those who don’t know better. As much as it’s Google’s responsibility to “do better,” we also have the power to help others navigate these issues.

Here are some of the best ways to arm these users against these scenarios.

Uninstall as much bloatware as possible

The first thing I should’ve done on my dad’s phone was uninstall the bloatware and install trusted alternatives. Unfortunately, I wasn’t available when he set up the device. Nevertheless, if you have the opportunity to do this for a friend or family member, take it.

In reality, a better solution would be to purchase a smartphone from an OEM that doesn’t preload masses of ad-laden apps on its devices, but hindsight is 20/20.

Educate, educate, educate

Next, it’s essential to educate more casual users about Android — including how ads are utilized on the platform, why altruism is not every developer’s goal, how to use the Play Store effectively, and which products are worth installing, among other key aspects. It’s also vital to help them identify a scam.

In my dad’s case, highlighting the details that an advertisement may have as opposed to a system alert will help him draw his own conclusions in the future.

To avoid in-app ads entirely, I would suggest employing my solution: installing a systemwide ad-blocker on their phones.

I use Blokada, which sets up an internal VPN and filters traffic based on block list matches, but there are a host of other options. The easiest option is to use Android’s built-in Private DNS feature. If you want to block certain apps from accessing the internet, NetGuard is a good shout.

Review permission settings

Finally — and I cannot stress this enough when discussing this with friends and family — regularly review their permissions settings. I used to do this regularly for my parents while I still lived at home, and it’s as simple as viewing which apps can access their microphone, camera, and other essential permissions.

To ensure apps don’t overreach, cull back any stray permissions every month or so.

Even though my parents are now well aware of Android’s pitfalls, I’m counting the days until they next see an advertisement disguised as an essential system alert. This time, I think my dad will know just what to do.

While it’s the user’s prerogative to educate themselves about the potential risks when using Android (and indeed the digital world), it’s also up to OEMs and Google to help protect these users as best they can. OEMs should ensure that the preinstalled software they load on their devices is at least vetted and trustworthy. Meanwhile, Google has a responsibility to remove low-quality apps from the Play Store and clamp down on companies that abuse the ad system.