The Google Play Store is not the only way to download Android apps. Third-party marketplaces give you access to apps that are not available on the Play Store, as well as paid apps for free. By sideloading these apps, you’re risking your personal data.
Sometimes apps on the Play Store are not safe either. They can ask for a host of permissions to access data they don’t strictly need and push ads to track you. While Google works hard to keep harmful apps out of the store, you should take precautions too.
We’ll show you how to avoid potentially dangerous apps on Android.
1. Avoid Installing Apps From Unknown Sources
The Play Store is the safest place to browse and install Android apps. Google employs a variety of security mechanisms and ensures that apps you download are safe. One such mechanism is Google Play Protect, which works in the background to scan apps from the Play Store and unknown sources.
To check the status of Play Protect on your device, open the Play Store and tap Menu > Play Protect. Then check the status of Recently scanned apps and toggle the Improve harmful app detection option to send unknown apps to Google for further review, if you like.
Sideload Only When Needed
Sideloading is the process of installing an app (via an APK file) on your device from sources other than the Play Store. When you sideload an app, you bypass Play Store protections and can put thus your device at risk from various security threats. There are both legitimate and illegitimate reasons for sideloading an app.
Good reasons for sideloading:
- You might want an app in your local language or to fulfill a particular task targeted for your region.
- The app is not available in the Play Store because of geo-restrictions or its policies. Also, you may want to install an older version of a particular app if the new one starts crashing or removes features you need.
- You want a free and open source app without ads and trackers.
Poor reasons for sideloading:
- You don’t want to pay for an app, because it’s available for free on third-party app stores or random websites.
- Downloading modded streaming apps for watching free movies and TV shows illegally.
Risks You Might Encounter When Sideloading
The majority of malware comes from outside the Play Store. Since an app’s source code contains the malware, you won’t know about its malicious behavior beforehand. Infected apps are usually distributed as pirated apps, repackaged legitimate apps, or even through drive-by download attacks in a browser.
A repackaged app is mostly original, but modified with new functionality. Developers usually add new ad libraries to steal or reroute ad revenue. In some cases, you might see a repackaged app with a malicious payload.
This payload can toggle the GPS switch in the background to spy on your location, send texts to premium numbers without your consent, and more. When a user taps an in-app banner ad by mistake, it can redirect the user to a malicious website with a fake video downloader or battery analyzer app. These spoofs use familiar icons and interfaces to gain trust and steal personal information.
What to Ask Before Sideloading
- Is this app from a trusted source or a legitimate website?
- Is this the developer’s official website?
- Does it come from a reputable developer or publisher?
- Have other people used this app?
Verifying this information is easy. Search Reddit, browse XDA forums, and ask the community about the app or website. Researching this will ensure that the app is safe to use.
2. Avoid Third-Party App Stores
While third-party app stores can be great, not all marketplaces are the same. Many of them do not require developer registration to submit their apps. They often lack security controls, strict policies, and quality control, so it’s easier to download malicious apps.
The Safest Third-Party App Stores
There are two marketplaces where you can download apps for free without worrying about any security issues.
F-Droid is an app store for free and open source Android apps. It’s a community-run software project developed by a wide range of contributors. The documentation page list all the FAQs and support for releasing your app on the F-Droid store.
There’s an entire page of security model and architecture to validate the integrity of the store and keep you safe from malicious apps. Also, the apps on F-Droid cannot use any proprietary Play Services, analytics, or ad libraries. They have a specific set of policies and strict application review process too.
APKMirror is not an app store, but a community-run software project that curates only high-quality apps. It lets you install apps that are not available on the Play Store due to geo-restrictions, provides old versions of popular apps along with their changelogs, and allows instant updates to apps that roll out slowly. It also has a strict policy and security model for including apps.
3. Cross-Check App Permissions With AppBrain
Since Android Marshmallow, you grant apps individual permission to access certain data or features as needed. Before installing any app, you must take a complete look at permissions the apps want.
At the bottom of every app’s info page, you’ll see a section labeled Permission details. But this is only a basic summary. Such a simple explanation does not illustrate the way an app actually uses the permission.
That’s where the app AppBrain Ad Detector can help. This app detects all annoyances, such as push notifications, homescreen spam, and apps with privacy concerns. It also tells you the details of the ad network and tracking libraries apps use.
Once installed, go to Edit Settings and Enable live mode. It’ll then scan all newly installed apps and show notifications of annoyances and concern when appropriate. Tap Show Apps to display apps by concern or alphabetically. You can also tap Show Concerns and sort apps based on concerns, ad networks, social SDKs the app uses, and more.
Alternatively, go to AppBrain Stats on your computer and enter an app name in the search box. Then click on the app’s page to see an in-depth analysis. Take note of the app’s age and last updated date, the frequency of updates, permissions the app uses, and ad networks the app uses.
Based on this information, you can decide whether to install or skip the app. AppBrain will also suggest related apps, so you can find an alternative that has a good score and fewer permissions.
4. Review the App Listing Page
Checking whether an app does what it claims to do is a good way to weed out problematic apps. Sometimes, detecting abnormal behavior is not easy. A behavior considered malicious in one app may be a feature of another app. Pay close attention while taking a look through the app listing page.
Read the App Reviews
Instead of looking at the number of stars, read the reviews and pay attention to what users are saying. If an app is working well enough, but users complain about permissions it asks for in the recent update, then do more research. Change the review sorting from Most helpful first to Newest first, and under Options, choose Latest version. This will show the newest reviews for the current update.
Some developers buy fake reviews, but you can spot them. A genuine review will include problems with an app, and the reviewer might share their opinion too. Also, note if the developer responds to those reviewers or not. Reviews have their share of problems too, and you should not trust app ratings blindly.
Read the App Description
The description should highlight and describe the key features of the app. Look for signs of professionalism, including proper sentence structure, clean grammar, and a lack of spelling errors. A reputed developer will usually explain major features instead of simply listing them. Most also include a feedback link and explain what their apps do.
The Play Store policy suggests that screenshots should show off the best and most essential features of your app. If the screenshot is stolen from the legitimate listing, showing more generalized images of the interface, that’s a warning sign.
Check the Published Date and Download Count
Take a quick look at when the app released and how many people have downloaded it. A recently released app from a small developer should not have a huge number of downloads. Such behavior could indicate phony downloads.
If the download count is low, that app may have enrolled in the Early Access program. This usually suggests legitimacy, as scammers wouldn’t bother with early access.
Examine the App Developer
If you’re not sure about the authenticity of the app, then verify the developer name. It shows right below to the app’s name. Tap the developer’s name to bring up its page with other apps it has published. If you see a single app (especially with a mismatch in the download count and published date), then beware.
To see if an app is a copycat, check the spelling. For example, WhatsApp Messenger is developed by WhatsApp Inc. If you see “WhatsUp” or “WhatzUp Messenger,” skip it. Reputable developers will have a website, information about other apps, social media pages, and contact details.
5. Always Install System Updates
Google releases monthly security updates for Android. Ideally, you should install the updates as they arrive because they protect your device against specific vulnerabilities malicious apps try to exploit.
However, not every mobile manufacturer releases timely updates. Thus, your buying decision with your next phone should consider whether the device will receive support for at least two years of major upgrades, plus periodic security updates.
Avoid the Obvious Scam Apps
Google is doing best to keep malicious apps away. It frequently tweaks the Store policy and bans apps that violate these guidelines. If you take the precautions discussed here, you’ll stay safe.
As you might imagine, some apps on the Play Store are totally unnecessary, so you shouldn’t even should bother installing them. Check out some scam apps you need to avoid.