Is your new app what it seems? How to spot the latest Android scams

Spotting “bad” apps on Android is not always easy - with cybercriminals finding new tricks every month to fool phone and tablet users into downloading malware.

Spotting “bad” apps on Android is not always easy – with cybercriminals finding new tricks every month to fool phone and tablet users into downloading malware.

Spotting “bad” apps on Android is not always easy – with cybercriminals finding new tricks every month to fool phone and tablet users into downloading malware.

Even if you use “safe” stores such as Google Play or Amazon’s app store, it’s still possible to be ripped off – or worse. Even if an app looks like one you know, and has five-star ratings, it could be dangerous. Android malware is on the rise around the world this year – in just one “purge” of its Play Store, Google removed 60,000 “bad” apps. ESET Security Evangelist Stephen Cobb analyses some of the risks in a detailed blog post here.

Below are some of the warning signs you should look out for before downloading a new app.

Beware if an app you’re waiting on arrives early

Cybercriminals read the news – and target fake versions of apps around the release dates of real, eagerly anticipated apps. For instance, scammers released a version of BBM – BlackBerry’s instant messenger software – on a rumored release date for the software on Android this year. BlackBerry had previously said that the rumor was wrong – but that didn’t save 100,000 users from downloading the app, which delivered unwanted adverts to users, and didn’t work at all.

Beware “free” versions of famous apps

The predictive typing app Swiftkey records your keystrokes to “learn” your writing style – so it was only natural that cybercriminals would pirate it, and add a keylogger, which uses the function to steal your private data instead. “Free” versions of the app appeared quickly on pirate sites – infecting users foolish enough to download. Sites offering “free” APKs of famous, top-selling apps can offer the same app, but modified to add other functions including adware and keyloggers. Swiftkey’s own report highlights how easy it is to be fooled.

Too good to be true? It probably is
Android users have clamored for a version of the hit PC game FTL – so when one popped up on Google Play, people downloaded. The app even had a high star rating – but only because it forced users to give a high rating before downloading. It was swiftly removed, but not before hundreds of users have been fooled. FTL’s developers had previously said there would be no Android version. If something pops up that seems to be a dream come true, read the reviews, and search outside of the store you’re buying for – otherwise you could be in for a nightmare.

Think like you’re shopping on eBay

Not everything on Google’s Play Store can be trusted –  apps aren’t approved before appearing on the store. This means that some “scammy” or Trojanised apps DO appear on Play. The key is to think like you’re shopping on an unregulated marketplace like eBay. Are there good ratings for this app? Do the developers have any other apps? What does their website look like? What do the reviews say? Apps without any star ratings are usually bad news.

Don’t be fooled by “bargain” sites

There are thousands of sites offering “free” Android apps – many of them disguised as “review” sites, where the review is in fact copied and pasted from Google Play’s description, and the site’s aim is to lure you into downloading a “free” version of the app. Any site offering free APKs of popular Android titles should be regarded with extreme suspicion. If you stick to sites such as Google Play, Amazon’s App Store and GetJar, you will be much safer – although “bad” apps can still sneak into those.

Good apps can “turn bad”

Be wary of in-app purchases – some apps use these to direct users to unsafe sites. A recent Android app (since removed) offered users a selection of fonts, all of which were available as in-app purchases  – but although the download links said they were downloads from Google Play, they pointed instead to a remote site, and downloaded spyware onto the machine. Be absolutely certain where you are buying from.

Read through every app’s permissions

The “App permissions” screen which pops up when installing a new app is important – don’t skip past it. Spammy or scammy apps will request access to large amounts of information – all your text messages, or all network communications. If an app is requesting a huge amount of information, and it’s just a screensaver, alarm clock or photo editor, don’t install.

Don’t assume a five-star rating means it’s OK

It’s worth taking the time to read a couple of reviews – some spammy apps “force” users to give a five-star rating before downloading, so that they’ll appear highly rated. If you read the reviews channel, though, you’ll see it’s full of users furious at being conned.

Google’s “Verify Apps” can help

Verify apps was introduced in Android 4.2 – and it’s a useful last line of defense against scammy apps or Trojans. It can be enabled under Settings, Security – and offers a warning if an app may harm your device. It’s also worth noting that while allowing your device to install apps from unknown sources can be useful – for instance, if your workplace “pushes” out a work app – it’s safer to keep this option off until you need it.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center