How to spot a fake Android app?

  • CERT Admin
  • Tue May 28 2019
  • Cyber Guardian Blog



Just because an app is in the Google Play Store doesn’t mean that it is a legitimate app. Google is constantly removing fraudulent apps from the Android marketplace, such as fake antivirus, browsers, and games. 

Besides Google Play, and other app markets, there are many other ways that fake apps can get onto your Android device. Scammers will try any means necessary to trick you into installing a fake app. Criminals use emails and SMS messages that appear to be from your bank, credit card company or other brands to trick people into downloading applications that will compromise their data. Sometimes fake apps will pose as security updates, and clicking on the links may also lead to your information being stolen. 


If you're an Android user and you receive an unexpected SMS, a strange alert or notification, or unusual requests from what may seem to be your bank or other familiar brand, beware: criminals may be trying to rip you off. 

Although fake apps that look legitimate can sneak into the official app stores, there are typical warning signs to watch out for before you download and install. 

Check for typos - Before you click "get" or "install" on that app, better double checks the title and developer name for typos, as small as they can be. Remember the sneaky developers of the fake WhatsApp app tweaked their developer ID ever so slightly to resemble the real developer's name. 

Check for bad grammar - Another blatant red flag is bad grammar. Why? A good number of these fake apps appear to come from non-English speaking Asian or Russian developers. Broken English in the app's description is a typical indicator that it's fake. 

Check the numbers - Always check the download stats. If an app of a popular service like Facebook or WhatsApp has an unusually low download figure, then it's most likely a fake app. 

Check reviews - To some extent, you can read the user reviews on an app too. Although fake reviews (both positive and negative) can skew the rating of an app, user comments can still provide vital information about it. 

Superfluous permissions - Before you install an app, ANY app, please check all the permissions it's asking for first. Fake apps will bombard you with a long list of permission requests so they can trick you into granting them more than what's required. For example, if a simple camera app or a GIF creator starts asking for administrator permissions, delete it immediately! 

Verify apps with Google Play Protect - Google Play Protect is security program that was rolled out to Android gadgets last year. it scans and verifies any app that is available in the Google Play Store. It will then continue scanning installed apps for any changes in behavior and warn you about any security dangers they might pose. 


Check the App Name and Developer 

Take a close look at the app name and the developer. In the case of the fake WhatsApp, the developer name was visually identical, but the name of the app should’ve raised a red flag—I can’t think of a single time a legitimate app added the word “Update” to its name.  

Even better, Google Play Protect will not only safeguard you from malicious Google Play apps but it will also monitor and scan apps downloaded from third-party sources. 


What to Do if You Spot a Fake App? 

If you happen to spot a fake app, there are things you should do (aside from, you know, not installing it). The first is to report it—let Google know it’s a fake! To do this, scroll to the bottom of the page (regardless of whether you’re on the web or mobile) and click or tap on “Flag as Inappropriate.” 

On the web, this will take you to a Google Play help page—which is actually sort of annoying—where you’ll need to also click on the “report inappropriate developer reply form” link, and fill it out accordingly. 

Fortunately, it’s a lot easier on mobile. After you click on Flag as Inappropriate, choose the reason why you’re reporting the app—for fakes, use the “Copycat or Impersonation” option. 

Tap submit, and it’ll get shipped off to Google, which will (hopefully) review it. 

Now that you’ve done your part, share this info! Post it on Twitter, Reddit, Facebook, or wherever else you frequent. The absolute best thing you can do is raise awareness, because then more people will report the app for fraudulent activity. 


What can you do to protect yourself? 

Unsolicited texts, emails, or sudden notifications that appear to be from a bank, retailer, or other known institution may not always be what they seem. Use caution with any link delivered to you and always read the message first. Instead of using the link supplied in the message, go directly to the website in question and log into your account the way you would normally. If the message seems particularly worrisome, call the company directly to verify the information before acting online. 


Always remember to think before you click. Even though there may be a sense of urgency to one-click and install, it is better to take the time and remind yourself of all the signs an app may be fake. 

An easy protection step everybody should take is to visit your Android settings and make sure you do not allow third-party app downloads from untrusted sites. 

Norton Mobile Security App Advisor for the Google Play Store, which is included in Norton Mobile Security provides comprehensive, proactive protection from the threats on today’s mobile Internet landscape. The App Advisor allows users to examine the behaviors of an app before actually downloading it to the device. App Advisor scans apps in the Google Play Store looking for features that can invade privacy, display annoying/intrusive behaviors such as pop up ads or excessive battery usage, and unnecessary data usage. It will also detect if an app contains malware or is malicious in nature. 



Dhanushka Atimorathanna 

Dhanushka is an undergraduate of the Sri Lanka Institute of information technology who is currently following Bachelor of Information Technology specializing in Cyber Security, currently, she is working as an Intern - Information Security Engineer at Sri Lanka CERT|CC  

Last updated: Tue May 28 2019