Trending Algorithm Vulnerable to Download Inflation

[khoadng]

Problem

The trending algorithm calculates scores purely from download counts without validating download legitimacy. This allows package authors to artificially inflate their package rankings.

Impact

• Legitimate trending packages get displaced
• Users may discover artificially promoted packages instead of genuinely popular ones
• Trending recommendations become unreliable for package discovery

Evidence

Check https://pub.dev/packages?sort=trending - the first page is full of packages created by the same publisher in less than 5 days.

Click to expand

[isoos]

@khoadng Thanks for reporting this! It seems like a doctored trend, though they have managed to get some likes too, which requires a few google accounts or some kind of campaign.

The team should look into it and adjust the algorithm (though it is vacation-time, may not happen right away).

[creyt2012]

Thank you for clarifying the matter. We would like to emphasize that this testing scenario had been communicated to Google in advance. Our intention was never to violate any policy but rather to assess potential user harm in a controlled environment. We hope this context will be taken into consideration during the review process.