Beware! That App You’re Downloading Might Not Be Real

Some apps aren’t what they seem

  • Cybercriminals are duplicating real smartphone applications and inserting malware. 
  • Android users are most at risk from fake apps. 
  • The best way to avoid fake apps is by only downloading applications from approved app stores.
Malware Detected Warning Screen with abstract binary code 3d digital concept

Olemedia / Getty Images

The next app you download might look legitimate but actually contain harmful code that could steal your personal information. 

A new report finds that cybercriminals are duplicating real smartphone applications and inserting malware. Cybersecurity firm Pradeo found that hackers are using fake apps outside the official Google Play Store from over 700 external websites with third-party app stores. It's part of a growing industry of real apps that contain malicious code. 

"Popular apps with millions of downloads—such as Angry Birds, for example—are prime targets for cybercriminals," Ray Kelly, a fellow at the cybersecurity firm NTT Application Security told Lifewire in an email interview. "These apps are a direct copy or similar style as the original game to entice users to download it and are typically found in unofficial app stores and are sideloaded without any protections, leaving an unsuspecting user vulnerable."

Think Before You Download

The Pradeo report warns that Android users are most at risk from fake apps. There are more unregulated app stores for Android phones because the design of Google's Operating system means that it's easier to download apps from outside of Google's Play Store. 

The researchers said they had identified many copies of official applications, including Spotify, ExpressVPN, Avira Antivirus, and The Guardian. The app makers claim the software is free of charge, but in fact, they infect mobile devices with malware, spyware, and adware.

"Code vulnerabilities and a lack of good security practices make it easy for hackers to copy and inject code into mobile applications."

In one example, the researcher reported finding hundreds of modified versions of the original Netflix application online. More than simply impersonating the company's name and logo, the interface of the fake Netflix apps looks nearly the same as older versions of the original. The counterfeit apps had all been injected with malware, spyware, or adware. 

"Code vulnerabilities and a lack of good security practices make it easy for hackers to copy and inject code into mobile applications," the report's authors wrote. "By impersonating well-known applications, counterfeit apps trick users into stealing their personal information and committing various frauds."

Users that try to dodge system requirements are often the ones who end up with a fake app. Android users might find that their phone is either too old or unsupported by the Google Play Store, so they go to one of the third-party sites to download the application they are looking for. 

"While individuals think they are getting a legitimate copy of an app, in certain instances, these clones are not vetted by any security organization and are, in fact, used to steal login and banking credentials by criminals," T. Frank Downs, the senior director of proactive services at cybersecurity company BlueVoyant told Lifewire in an email interview. "As a result, everyday users can think they are using a banking app, or a purchasing app, but in fact are handing over key information to these cybercriminals."

One way fake apps propagate is through scammers taking out ads on social media sites, posing as legitimate businesses, Downs said. However, when users click the ad, they are directed to a fake site to download an APK file. Sometimes, attackers will even reach out through messaging apps, like WhatsApp, and help victims install the malicious code. 

Cropped image of computer hacker with smart phone and a computer.

Vasily Pindyurin / Getty Images

Staying Safe

The best way to avoid fake apps is by only downloading applications from approved app stores, such as the Google Play Store and the Apple App Store. You should never download applications provided by people or organizations you don't know, Downs said. 

However, sometimes malicious applications can bypass the official app stores' security checks, Michael Covington, the vice president of portfolio strategy at the cybersecurity firm Jamf noted in an email interview. 

"Users should always look closely at applications listed on the official app stores for critical clues," Covington said. "Does the app icon look right? It should match official company branding. Does the developer information look right?"

Take some time to look at the app's official company website, Covington said. Be wary if the user reviews look fake or are they negative. You should read through the most recent reviews, along with those that are negative, to familiarize yourself with what others have said. 

"Don't rely on the most popular reviews displayed as that can be tampered with," Covington added. "These are all good signs the app is not the real one."

Was this page helpful?