Hacker News new | past | comments | ask | show | jobs | submit login
Google banned almost 120k spam developer accounts in 2020 for the play store (googleblog.com)
100 points by tumblewit 3 days ago | hide | past | favorite | 67 comments





How to Lie and Distort with Statistics 101:

1. Use absolute numbers or percentages depending on whichever sounds higher;

2. Don't put absolute numbers in context. For example, is that 119k out of 500k or 500M?

3. Only mention false positive rate if it's really low;

4. Only mention false negative rate if it's really low;

5. Don't be afraid to retroactively include data in your featured set. For example, classifying accounts banned for other reasons as spam accounts;

6. Only mention time frames if it helps your case. For example, if those accounts had been operating for a mean of 3 years then say nothing about that.

I'm not saying any of the above are true but after having seeing thousands of these pronouncements, my mind automatically goes to start asking what isn't being said here.

I remember seeing this first hand at Google with the cut backs in food (cafes and microkitchens). There were statements about "we saved $100m". That's an absolute number that sounds large. It actually amounted to something like $2/employee per day for a noticeable decrease in both quantity and quality to the point where people complained. Was that really worth it? Probably not.


Tbh, I think this blog post is pretty content free and I'm unsure what merit other people are seeing in it. It's a fluff piece put out by the play store team to toot their horn about the work that they've accomplished last year. I get why they'd be proud of it, but I'm not sure what actionable information the public is supposed to derive besides, "Hey, we are doing stuff."

That being said, I don't think there's any intent to mislead here. The numbers could be more complete and detailed, but even if you had relative numbers (e.g. "we banned 119k, which is X% of all developer accounts") what could you do with that information? If it were 20% would that be too low? Too high? What if it were 1%? Since you don't know the ground truth fraction of spam accounts, and you don't know how well a similarly situated generic team of devs would do, I don't think there's much use you can get out of this knowledge.


The merit people are seeing is the editorialized title, which lets us have yet another repetitive discussion about account bans.

This funny stat stood out to me as well:

"Additionally, in 2020, Google Play Protect scanned over 100B installed apps each day"

Are there really 100B unique apps? Or are they saying they scanned some much smaller number of apps, that happen to be "installed" on a shite ton of phones? Why is the number of installs relevant to the how many unique apps were scanned on a cloud server somewhere?

Edit: I'm assuming "Play Protect" just uploads a hash of the binary and makes sure that particular binary has been previously scanned?


App installs. I think Play Protect is like anti-virus. I think it also works on apps outside of the Play Store, which makes more sense since it can't just be a server-side thing.

7. Use common dictionary words like “spam” despite having a specific in-house definition for what that means.

I’ve read way too many examples of “Google closed my account for <speculation> with no recourse and won’t provide any details” just here on HN alone.


For me the value in seeing this kind actual numbers is that it puts into some kind of perspective the reports of falsely terminated accounts.

If you are terminating accounts at this level, then it is - at least for me - a bit more understandable that you can't conduct a deep human review of each termination (and even if you do, there would be still likely some mistakes).


If they can't do it fairly, correctly, and quickly, they shouldn't be permitted to do it and profit from it at all.

I mean, can anyone do things fairly, correctly, and quickly? I don't think that's even possible.

Thanks for this succinct and useful list. :)

I'm fascinated by the social cost of these spam accounts and apps. Who is installing these apps? What are the spammers getting out of them? Who is writing them? How much economic damage is being done by these apps, if you tried to sum it up?

To be honest, when I look at the mobile ecosystem, it seems to me that a pretty large fraction of the "legitimate" apps are barely better than spam. Most of the best freemium and gatcha games are pretty terrible, and I can only imagine how bad the bad stuff is.

Fortunately, there's a filter that can exclude free apps on Google Play. Seems to me, especially in the games department, it behooves you to turn that on. If you do, you generally won't be affected by psuedo spam or actual spam.


I would go further and state that many legitimate apps are not any better than some spam. While they may present these apps as providing some sort of service, they also collect data that they have no right to.

That being said, many illegitimate apps are based upon pure misrepresentation. It sounds like that is the type of app that Google's press release was targeting, rather than the nebulous area where most people have differing opinions on what is legit or otherwise.


>What are the spammers getting out of them?

How did you think gift card scammers cashed them out?


Never thought about it, although now I can see the possibility. That said, is the aggressive wording of your comment really necessary?

Fake politeness is a form of disrespect too.

Rude and fake polite are not the only two choices. We should try for genuine politeness and charity.

>How do you think gift card scammers cashed them out?

There wasn't anything rude there. Merely pointing out an overlooked facet.

Rude would be sprinkling in "What are you, daft? Never been out of your bubble?", or a similar insult on the end.

Unfortunately, the money laundering scene being what it is today, I wouldn't be surprised if more than a few mobile games were nothing but thinly veiled links in a laundering scheme. I certainly see enough game clones nowadays that are nothing but ad delivery frameworks with a thin veneer of genuine artistic credibility tacked on top that I can see games have shifted from being true labors of love to financial instruments.

The Socratic method of questioning is not rude. It won't make you many friends; but it isn't rude.


Even looking at just the paid games still has spam, or spam-lite I suppose. This next sentence might sound too cynical, but it's real for me - Are there any good mobile games that aren't just a mindless-repetitive-task, engineered dopamine drip, with micro-transactions?

Sure! Cultist simulator, Civilization, Kingdom Rush, Bad North. Many other good examples. Now, if you're just talking about games that are available on mobile platforms only, then the crowd gets substantially thinner. I theorize that this is because if you have a game that can compete on PC, you'll put it there, and not have it be mobile only. And there are precious few gaming styles that work best on a tiny mobile phone screen.

I don't care, Play Store is completely broken from both the user's and more so from the developer's perspective. I feel at this point they should declare a "review bankruptcy" and either scrap the review process or start over with a new inventory.

I had the displeasure of publishing a few client apps recently. The pointless bureaucracy of it all reminded me of the worst interactions I ever had with the government and banking establishments.

Apple: rejected, we couldn't find the Apple Pay feature

Me: it's on the checkout screen

Apple: ok then, accepted

At least Apple has a pretty fast turnaround.

Despite all this theatre, both app stores have become wastelands of broken and scammy apps to the point I never go there unless via direct link from a trusted outside source.


> Despite all this theatre, both app stores have become wastelands of broken and scammy apps to the point I never go there unless via direct link from a trusted outside source.

So basically you're installing apps from links on web-pages on the open web, like back in the days on desktop PCs.

But on all platforms they are now increasingly forcing those links to be in walled garden app-stores, which restricts both the user and developer.

I really hope some anti-trust verdict comes tearing those walls down, and then we can go back to just linking to our apps again.


Just taking the first example in this list, the new COVID-19 rule, do you remember when Google banned the most popular Android Podcast app for a few days ? Of course the Google Podcasts app wasn't banned during the same period:

https://news.ycombinator.com/item?id=23219427


For what it's worth, Google Podcasts is so unbelievably bad that I think it's unlikely that anyone there remembers it exists

I gave it an honest try but it lacks a lot of important features. I also get the distinct feeling it will be going the way of Inbox and get folded into some other service or just not updated anymore.

I am running some bigger apps. One way of finding out copies of your app is by sending package info to your server when the app starts. Package info contains the package name which is for example 'my_business.my_app.com' I just did a select distinct on package names and found about 250 package names with a slightly different name. The copy guy changed the package name and republished it. Some of these clones have more than 50k installs. Most of these copied apps are no longer available. In fact at this point of time none are existing. I guess Google auto detects clones and remove the accounts. I understand the big number shared.

How many in error? How many of those filed support requests that were never responded to by a human?

Also how many of those were "spam" accounts banned for to repetitive content policy violation, but the _repetitive_ apps were long unpublished (it's unclear if Google requires them to follow all new policies, but there are reports that they do)? Anecdata, but for example: https://www.reddit.com/r/androiddev/comments/91x2ow/got_my_a...

Many and probably none.

I have seen absolutely absurd cases of apps being deleted from the store for completely bogus reasons. Their bots make wild assumptions of wrong doing and are judge, jury and executioner.


droidscript.org wasn't !

Legit, no (known) spam, 7y old, educational .. and destroyed by bots


Meanwhile, Google only gives temporary bans on apps and developers that are found to be malicious only to allow them back on to the Play store after removing offending code. (Or should I say obfuscating the offending code)

All of this reminds me of one of the best GDC talks ever given: https://www.youtube.com/watch?v=E8Lhqri8tZk

This is like the Defcon of awesome geekiness conferences.

I've seen many awesome presentations from GDC. There should be an awesomelist collecting these.


As I post this, four of the top ten apps on the Kenyan PlayStore are in clear violation of Google's own rules on payday loan apps and the current number one looks suspiciously like a pirate streaming service.

I can't say that I understand the scale of moderating the PlayStore and as others have mentioned, this blogpost is vague with its numbers. Judging by what I can see, the current system is not doing enough.


How many of those were automated bans because some other related account was taken down?

Shouldn't the title phrase it as "allegedly spam ...". Or, have these been adjudicated?

I don't think you can ask anyone to adjudicate 120k T&S account bans, and if Google pays someone to do so, you just end up with a company incentivized to not defy Google.

Can't we? I mean even if it took 5 hours to adjudicate each ban, and Google offshores the adjudication at $10 per hour, you are looking at about $6m in cost.

With a more aggressive speed of 1 review per hour and a USA based review team, you are looking at a team of about 60 reviewers. At $60k per reviewer, you are talking $3.6m.

Hardly a big ask for a company with annual revenue over $180 billion, making $30 billion in revenue from Play Store alone.


The article mentions close to 1.1 million apps (962k for policy, 119k for malice/spam), so those efforts are off by an order of magnitude. Then the question it represents that much benefit to Google. Keep in mind that Google is a business. They don't have to concern themselves with being just. They only have to worry about their reputation and operating within the confines of the law. Keep in mind that legitimate violations may be more of a liability to Google than the revenue generated by approving it (may that being the sale of an illegal product or of something that violates their policies).

OP that I was replying to was specifically talking about the feasibility of manually checking the 120k account bans, so I'm not off by an order of magnitude. I'm not suggesting all automatic checks are replaced with manual checks anyway, in fact the suggestion was a manual system for appeals, which would be much lower than the total number flagged.

I think your message pretty much gets to the same place though:

* Could Google do manual checks for appeals? Yes - absolutely. Even if it costs them $30 million to review, this is still tiny in the scheme of things (c0.01% of app store revenue). Never mind the fact that these developers had to pay to be on the platform in the first place.

* Would it be best for Developers if Google did it? Yes, it would give developers a chance to appeal and lower the number of absolute horror stories we hear.

* Does Google want to do it? No, because Google only cares about profit and doing the minimum it can get away with.


Google is judge and executioner. There is no presumption of innocence, you're guilty if they say you're guilty.

How many false positives?

How many of those account hadn't been created if it cost $99 to make one?

Bizarre why this is down-voted as it addresses the root issue. I'd love a software world where I'm actually the customer (with a voice via my wallet).

I'm pretty sure it's downvoted precisely because it doesn't address the root issue; Google developer accounts cost money, too, albeit less.

$99 seems to be beyond the "grab'em en-masse" pricepoint. For one Apple dev account, you could get 5 Google dev accounts.

It does at least raise the bar on how much you need to make from an account before it gets shut down. If each account was making $50 before getting canned then it wouldn't make sense at $99/account.

This of course assumes they aren't just stealing credit card numbers and using those to sign up. In that case the higher account price is not much of a barrier.

Another way to look at this is Google made $2.4M off of these spammer accounts. Not a lot for a Google sized company, but it's still not nothing.


How much do they make off a set of scam/spam apps? If it's at least a 10x margin over the $99 fee, it just seems like a likely gamble for being worth it. If it's 100x, then it's overhead cost.

At that point, it only hurts legitimate indy devs who aren't gaming the system.


> only

Well, it would also be hurting all the unprofitable spammers and the spammers who aren’t willing to gamble with $100 to begin with. Like everything, there are just trade offs rather than good vs bad extremes.


Unprofitable scammers sounds like a problem that has already solved itself

Apple is 99/year

Google is a one time payment.


Google should stop this whack-a-mole approach and find a better approach.

I think a developer reputation system is much better and far cheaper for Google.


This is why I'm ok with Apple charging $99 for a distribution developer account.

I'm sure you're ok with it, but it doesn't have the effect you think it has:

https://www.theverge.com/2021/2/8/22272849/apple-app-store-s...


The effect we think it has is to reduce the number of scams, not eliminate them.

No, it just meams ypu select for people willing to run a scam sophisticated enough to recoup the developer fee, the ones who don't care and have money to burn anyway, and you shut out every aspiring app writer/contributor with a decent idea who is strapped for cash.

Never, ever underestimate the determination of someone in need of a way to economically do nefarious things. Financial barriers are no barrier at all if you do it right. Tenbux is more for presenting a barrier to anyone without access to a digital payment medium than anything else.


> you select for people willing to run a scam sophisticated enough to recoup the developer fee

And it filters the rest.

> you shut out every aspiring app writer/contributor with a decent idea who is strapped for cash

Lots of hobbies are expensive. There are plenty of avenues left for a cash strapped developer overflowing with ideas to explore.


> And it filters the rest.

If this is a goal, reduce the number of scams, then OK. If the goal is to reduce the percentage of people scammed or how much scammers extract from the platform, I'm not convinced those are met. And that's even before talking about the other sides of the tradeoff.


I'd expect scams to be significantly more profitable than other apps, so the higher startup price mostly affects non scammers

The effect I think it has is to reduce the number of spam accounts from the 120K that Android has. I did not think it eliminated fraud on iOS.

You still see news of scams and spam on the App Store daily and you can easily buy already verified developer accounts in bulk online to participate in those scams, so it's clearly not working as "security".

It's always been an ecosystem bribe.


Since those accounts cost $99+ I would be surprised and demand proof if you suggested that they were available for less than list price. There are too many examples of a simple entry price being used successfully to limit spam and filter bad actors out of a community (or at least raising the bar to the point where the cost/benefit ratio is unattractive.)

Got a source for the bulk verified apple developer accounts?


I wouldn't call SomethingAwful a success story, so where else did you have in mind? All tenbux did was raise the bar for minimum effort involved in shitposting, and add a thin veneer of elitism to the mix.

Unless you're talking other places that shall not be named; in which case those have a very different kind of gatekeeping to be concerned about.


Worked for metafilter, and any fee that raises the bar for sock puppeting, shitposting and other such behaviors is a good thing. Elitist? So be it.

Maybe they could create some type of verified developer program. The current fee would stand but there would be an additional fee to cover more in depth checks and for developers who pass the checks, they get a blue check mark. Only blue check mark accounts should be able to pay for promotion in the Play Store.

That's what the program essentially is, it's free to signup as a developer, $99 if you want to distribute and then they do a BSN check etc. to verify you.

There is just isn't a "free and can distribute apps" tier. If you want to put an app in the store you need to get verified.


google charges 20




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: