Skip to main content

A guide to spotting Android scam and malware apps

Google has gradually got better at pulling apps from the Play Store that are demonstrably harmful to your phone. That doesn’t mean, however, that such an app can’t find many hapless victims before it is killed. If you’re going to explore the Play Store in search of the next big app, you still need to go in with a healthy dose of scepticism. The shady characters looking to take advantage of users are getting better at projecting a facade of legitimacy all the time. However, with a little prepping, and just a few seconds, you can make sure you avoid scams.

The 60 second check

Unless you were linked to an app by a reputable source, it is good policy to give its listing page a once over. This doesn’t need to be an in-depth analysis that requires you to cancel appointments and ignore your loved ones – just take 60 seconds to check for a few common red flags.

Your first order of business is to check out the popularity of the app as listed by Google Play. If an app has many, many thousands of downloads and very few reviews, that has scammer written all over it. Pumping up download numbers is a great way to get an app in front of more users. Also be on the lookout for a very large number of 5-star ratings on a new app.

Even if you do see a reasonable number of positive reviews, check to see if they were all posted in a short period of time. If the app is new, figure out if all the reviews came immediately after it arrived in the store. For anything other than a new Angry Birds game or the like, that smacks of a shady developer paying people for reviews. The web-based store has fast one-click sorting, making this easy to discern.

The other thing you want to check out in the reviews is a pattern of similar word use, or grammatical errors. It’s not that the Internet at large has excellent grammar, but you should be able to tell at a glance if the written reviews are too similar to be real.

If the ratings and reviews look legitimate, or just aren’t there, move on to the developer’s website. The Play Store should have a link to the app developer’s site for all apps. Follow that link and make sure it pulls up a real web page. An app that is just out to get your data probably won’t be linked to a legitimate site. These links often redirect to an invalid address, or to the Google homepage. As you can probably guess, this is a big red flag.

If everything above looks to be in order, there is one more thing to check. Ideally, this will be the fastest step because most bad apps will have been filtered from your further consideration already. Go to the Permissions page, and make sure the app isn’t overreaching.

Don’t worry about the location permissions – even free apps use this for ads. You might not be crazy about the idea, but asking for your location is not indicative of a scam or malware app. If you’re not interested in location-aware apps for privacy reasons, that’s a completely different matter. You should take note if you see a simple app asking for permission to access your browser history, Google accounts, contacts, Internet access, or phone identity. Think about the nature of the app, and if the permissions seem off, that’s a red flag as well.

In an ideal world, every app on the Play store would be fully trustworthy – but this world is not ideal. It’s well worth taking just one minute to check out an app before you install it on your phone. While it might be unlikely that you’re going to encounter one of those really sleazy SMS Trojan apps, coming across an app which has the sole purpose of stealing your data is plausible enough, sadly.

For more on Android security, see: 4 Android security settings you should use.