Yes, some Android apps can be malicious — Apple, Microsoft, and the media seem happy to remind us about this. Take a few basic precautions and you can avoid these potentially dangerous apps.
Google doesn’t manually approve apps like Apple does, but they do scan apps in the Google Play Store for malware. Permissions, reviews, and other reputation information can also tell us a lot.
It’s Not In the Play Store
Android allows you to install apps from outside the Google Play Store thanks to sideloading. This extra freedom allows for more choice — like the ability to install apps from the Amazon App Store, if you prefer — but it also opens up extra risks. Just like on Windows, Mac OS X, or Linux, you can get software from anywhere on the web and install it. And, also like on desktop operating systems, people can write malicious apps and distribute them via the web.
As we mentioned in our overview of whether Android antivirus apps are worth using, most malicious Android apps come from outside the Google Play Store. If you download a pirated app from a shady website, you shouldn’t be surprised if it brings malware onto your system.
Google doesn’t vet applications before they appear on the Play Store, but they do perform automated scans to see if apps are malicious. If an app you install from the Play Store is later discovered to be malicious, it can be remotely removed from your device. Attackers will try to distribute dangerous apps outside the store so they can get around this protection.
Android does now offer to scan apps for malware when you install them from outside the Play Store, but — like any antivirus solution — this isn’t perfect. If an app isn’t available on the Play Store, that’s a warning sign and you shouldn’t install the app unless you have good reason to do so. If you do install an app from outside the Play Store, be sure to allow your device to scan it for malware when you’re prompted. Leave the Verify apps setting enabled to have Android perform regular scans for malicious apps. If Android warns you about an app, uninstall it.
Its Permissions Don’t Make Sense
Some apps request too many permissions. For example, if a simple flashlight application requires permission to read your address book, access your location, and connect to the Internet, this is awfully suspicious. The app could upload the contents of your address book along with your location to an advertising network’s servers. If an app requests the ability to send SMS messages and it shouldn’t need this permission, the app may try to send SMS messages to premium-rate numbers and run up charges on your cell phone bill.
Permissions are a serious problem in the Android ecosystem, as apps often request too many and there’s no easy way to disallow them without rooting your device, as there is on Apple’s iOS. It’s normal to come across apps that require too many permissions, but it’s often because that app actually is using your phone number, address book, and location to an advertising network’s servers so they can track you and serve ads to you.
Be sure to keep an eye on permissions when installing apps. If an app you don’t trust much requires too many permissions, that’s a red flag that the app will potentially abuse those permissions. Apps can request access to additional permissions when they update, but you’ll have to agree to the update manually.
Installs, Reviews, and Reputation
As with desktop applications, it’s important to evaluate whether an app is trustworthy before you give it access to your system. On Android, this means looking at the number of times an app has been installed and checking out its reviews. If an app has been installed by just 50 people and has negative reviews, that app probably isn’t worth your time and may be potentially malicious.
On the other hand, if an app has four-to-five-star reviews and has been installed by more than a million people, that app is much more likely to be trustworthy. Of course, this isn’t always true — some bad apps manage to trick a large number of people into installing them and reviewing them well.
The reputation of the developer also matters. An app made by Google is probably safer than an app made by some person you’ve never heard of. An app created by an organization you’re familiar with — your bank, for example — is probably more trustworthy than an organization you’ve never heard of.
The permissions system also comes into effect here. Let’s say you want to install a little app and that app requires no permissions. It should be perfectly safe to use because the app couldn’t do anything malicious even if it wanted to. On the other hand, if that tiny app required permissions to access your contacts, accounts, location, SMS messages, and other sensitive data, you should view the app with much more suspicion.
As with any software, there’s no foolproof way to know whether an app is malicious. Stick with apps from Google Play, if possible. Pay attention to permissions, the number of times an app has been installed, the reviews, and the general reputation of the developer.