When I review apps, I'll oftentimes end up downloading at least one or two "bad" apps that either lied about their functionality or were riddled with ads. These apps, while not as harmful as malware, can still be a major headache. This got me thinking about the other bad apps on the Play Store and how to avoid them.
It is no secret the Google Play Store has a malware problem. However, what's talked about even less is the number of apps designed to either bombard you with ads or capture your data using batch permissions and various other methods. These apps are far more prevalent and are not always removed from the Play Store.
Below, I've listed six habits you can implement to avoid these bad Android apps. With each group, we'll look at a certain type of app and tell you what you preventative measures you can take to avoid them. This list can't cover all the bad apps on the Play Store individually, so you'll still need to be cautious, but we've also included recommendations at the end to further improve your ability to navigate the murky Play Store waters.
The Play Store has been synonymous with malware such as worms, ransomware, and adware since its inception. Over the years, Google has implemented new steps to combat this problem, the biggest being Play Protect. The new program acts as an antivirus scanner that analyzes all apps on the Play Store before they're installed on your device. As a result, Google was able to take down 700,000 bad apps in 2017, a 70% increase from the previous year.
The problem is Play Protect's antivirus scanner is pretty mediocre. AV-Test, an independent IT security institute, has been testing the malware detection rate of antivirus scanners found on the Play Store, including Play Protect. As recently as July 2018, Play Protect has been near the bottom the list, with detection rates well below the industry average.
But malware isn't the only threat. For example, Redditor Busymom0 made a detailed post about their discovery of an "Adult Hook Up" app which had over 70,000 downloads in one month and made $200,000 in revenue. This was without stealing data or corrupting any devices, so it would have gotten past even the best antivirus scanners. Instead, it made false promises and was able to sucker many users into paying $19.99 for one week of access to the service. And this was an app on the iOS App Store, which has a much more thorough vetting process than the Play Store.
This is just one example of a type of app that can slip through the cracks. Others include copies of popular apps and those that abuse permission requests or display excessive ads even when you're not actively using them. Whether they deliver on what they promise is irrelevant, because as long as you download the app, they have a chance of getting you to tap on an ad, make a purchase, or inadvertently hand over data that can be sold to marketers. Either way, they make a buck.
As the saying goes, "if it seems too good to be true, it probably is." The first habit you should implement is to avoid apps that are promising way too much.
For example, there are several apps on the Play Store that claim to let users update their operating system to Android Pie, including one which has over ten thousand downloads. I couldn't believe more than ten thousand users thought this was possible when the method to update your phone is pretty straightforward and well-discussed online.
You may have come across other apps that fall into this "too good to be true" category. It's particularly common with apps that relate to games. Some will claim to give you free in-game currency like Fortnite's Vbucks, and others will offer cheats and hacks to get you ahead in a game. Then there are outright fake games — before Fortnite came out on Android, there were dozens of half-hearted "Battle Royale" clones trying to make a quick buck.
Another common category here is medical apps. Those claiming to diagnose diseases, test your vitals (with the exception of heart rate apps), or even treat illnesses are typically apps you should shy away from.
Some shady developers will even put their app on sale to lure new users with a "deal." The fact is, if an app is truly groundbreaking, the tech blogosphere will talk about it. We will talk about it. Reddit will talk about it. Your friends will talk about it. Rarely will you randomly find a true diamond in the rough on your own.
Back in the early days of Android, the apps I hated the most were the ones that requested permission to access sensors they didn't need. Many would even go so far as to batch-request permission to access all of your phone's sensors. This isn't as common as it used to be, but the technique is still in practice.
Thanks to the data collected by these sensors, our phones know quite a bit about our day-to-day lives. As I highlighted in a previous article, hackers can spy on you if they have access to seemingly innocuous sensors like your gyroscope or your ambient light sensor — even without tapping your camera or microphone. The most common method of achieving this is with an app that batch-requests permissions, some of which can be found on the Play Store.
- Don't Miss: It's Not Just Your Camera & Mic — Here's All the Crazy Ways Your Phone Could Be Used to Spy on You
Google tried to correct this issue by implementing granular app permissions in Android 6.0 Marshmallow, which forced apps to request permissions individually as they were needed. If you've ever seen a popup saying "XYZ App Would Like to Access Your Location — Allow or Deny," that's the new system.
However, the app must target at least Marshmallow to use this new permission model. If it doesn't, it can use the old method of requesting all permissions at the time of installation (when you see that "XYZ App needs access to" popup above). Unlike the granular model, this old style is all or nothing — in other words, if you don't want to give the app permission to access every sensor it requests, you simply can't install it.
But if a developer still wanted to abuse permission access, all they had to do was set their app to target a pre-Marshmallow version of Android like Lollipop or KitKat. Thankfully, this started getting a lot harder on November 1, 2018.
After November, Google required that all new uploads to the Play Store must target Android Oreo, which means they'll have to use the new granular app permissions model, preventing them from accessing unnecessary data. However, this only applies to new apps and updates to existing apps, so you'll still have to be somewhat vigilant.
As for a habit to protect yourself, scroll down and tap "Read More" on an app's Play Store page, then scroll to the bottom of the next page and you'll see when the app was last updated. If you see a date on or after November 1, 2018, you are protected from batch permissions.
If an app you're about to install hasn't been updated since November 1, 2018, you should manually check the permissions it requests. On the app's Play Store page, scroll to the bottom and select "Permission details." A popup will appear letting you of all the permission requested by the app and how exactly its plans on using them. As can you see in the example below, there is no reason a flashlight app need access to your phone number to make calls, so this is a great reason not to download it.
Even after installing an app, you can check its permissions in your phone's settings to see which are enabled by default. If any look fishy, disable them. If the app stops working after you revoke access to a certain permission, you can always re-enable the permission in the same settings menu, but you may want to look for an alternative app instead. For example, if a camera app won't run if it can't access your calendar, you might want to find a different camera app. Check out the link below on how to accomplish this.
One of the better ways to detect bad apps is an obvious method often overlooked: checking out the user reviews. Like with most user review systems online, Android's isn't perfect. However, with the abundance of reviews, it is a great place for users to vent their frustrations, deterring potential users from suffering the same fate.
When you are interested in an app, check out its score. If it has less than four stars and you had any lingering questions about its legitimacy, just avoid the app. But your due diligence doesn't stop there. Take the time to check out some of the more helpful reviewers. If you see alarming complaints on the first couple of pages, that's your sign to stop. One bad review among a sea of great ones should be ignored, but multiple with the same complaints should send you on your way.
But also be wary of apps with perfect 5.0 ratings. In the Reddit post by Busymom0, the scammy iOS app had 67,882 five-star ratings. This is a glaring sign something is wrong — no legit app will have such a high grade. With users giving apps poor ratings because they don't like a color choice, having that many individuals give an app a perfect score is almost certainly the work of fake or paid reviews.
Another thing you should look for here is the number of downloads. This number will be posted in two places: At the top of the page below the "Install" button, and at the bottom after first selecting "Read More." The latter will also reveal the date it was released, helping you paint a better picture. For example, a legit app released last month could have one thousand downloads, but an app released a year ago should have more. And if the download number is low but the score is high, you should continue your research.
If you're still on the fence about an app, scroll to the bottom of its Play Store page and see if the developer has created other apps. If they have, there will typically be a section labeled by the developer's name, listing all the apps they've created. Check out each one and see the ratings and downloads. If their other apps have a similarly low score and rating, you should probably avoid using any of their apps.
Another great thing about the user review section is how it can help you avoid apps with hard-to-detect problems, such as ones that overwhelm you with ads. While most malware is difficult to identify for the average user, adware isn't. We've all seen it: An app that was flooded with so many ads that its basic functionality is hindered.
A quick way to tell if an app contains any ads is to select "Read More" on its Play Store page and scroll to the bottom. If it contains any ads, the label "Contains Ads" will be listed right below the recommended age range for the app.
Of course, just because an app contains ads doesn't mean it's a bad app. Many legitimate developers can only offer free versions of their apps by making them ad-supported. The real trouble here is the type of app that gets overly spammy with ads, and those are a bit harder to detect before installing.
The user review section is your primary and (in some ways only) method to avoid installing these apps. However, if you happen to fall victim to this kind of app, uninstall it immediately. While it isn't as harmful to you as malware, it does encourage this behavior of poor app design by rewarding the developers each time you are redirected to an ad's page due to an unintended touch.
Another good research tip is to read who developed the app. There are a number of apps on the Play Store that try to trick you into believing they're a different, more famous app. They will copy the icons, even describe the app in a similar manner to the real version of the app. However, because they can't replicate the name, you can usually figure out which one is real by reading the name of the developers.
For an example, try searching the Play Store for the SHAREit app. As you can see in the screenshot below, only the first result is the real deal. The second appears to be the SHAREit app at first glance, but the name of the developer isn't the same as the company who created the app (which you can usually find with a quick Google search of the app's name). This was how I was able to avoid downloading the wrong app.
Under "Read More," at the bottom of an app's Play Store page is a list of information regarding the developer. Google requires the developer to provide their email address and physical address. Trying running a Google search on the address and searching the email address. Send the developer an email to see if the email address is valid. If either address is suspicious, there is a good chance the developer is trying to trick you.
While it would be impossible for us to find every app you should avoid, there are some known offenders that you should be aware of while browsing the Play Store.
- UC Browser: Vulnerable to a number of security risks, including viruses and adware. Has had multiple data leaks and privacy breaches that still haven't been fixed.
- ES File Explorer: Riddled with ads and has been caught phoning home to China.
- Dolphin Browser: Records your video watch history even when using incognito mode.
- Update to Android P 9.0 (Unreleased): Outright bogus — you can't perform system updates using an app.
Besides these specific apps, there are several general categories of apps you should avoid.
- Task killers, performance boosters, RAM cleaners, and battery savers: Proven ineffective time and time again, and the permissions they require are ripe for data mining.
- Apps made by Cheetah Mobile: This is a developer known for making useless apps that replicate the look of other legit apps. A petition was made on Change.org urging Google to ban them from the Play Store.
- Keyboards from non-reputable developers: Keyboard apps, by design, can log everything you type. A malicious developer could easily create a keyboard app to log your typing history and learn your secrets (including your passwords).
- Free VPNs: Falls in the "too good to be true" category. VPNs capture all data transmissions from your device, so they have the potential to be data-mining goldmines. Only use reputable services, which almost always charge you a subscription fee (there a few legit free ones, but do your research first). Also, thanks to Redditor daredevil117, we learned of a several free VPNs from The VPN Company which use the same UI and are highly sketchy. Avoid them, please.
- Free music & movies: Not only is piracy illegal, but piracy apps are often filled with malware that steals your data.
- Cryptomining: These apps are already sketchy, but now that Google has banned them from the Play Store, any app that offers a service involving the practice should be avoided.
Also, check out the BadApps subreddit. Redditors inform the public about bad apps they've found on the Play Store that are low-quality or spam. If you see an app you are not sure about, search for it on the subreddit. If it's there, don't install it.
Implementing the habits we covered above will go a long way towards keeping you safe on the Google Play Store. However, we have some general recommendations to assist you further, so I wanted to include them here.
Despite an ongoing debate in the Android community about their necessity, antivirus scanners can definitely help protect you against bad apps, specifically those with malware. Play Protect is well below the industry standard detection rate and gives users a false sense of security, so check out our list below for the best antivirus apps available.
Finally, no matter how cautious you are, you can still fall victim to a bad app. Hopefully, it is spam and not malware, but sometimes, apps are both. If you happen to install some malware, there are ways to get rid of the app, especially if the developer created protection to protect the app from being uninstalled. Check out our video for how you can accomplish this or read the link below for a more in-depth tutorial.
Now that you know what type of apps to look out for, you should avoid most malicious apps on the Play Store. Unfortunately, malicious developers are continually finding new ways to trick unsuspecting users, so you'll always have to remain vigilant.
This article was produced during Gadget Hacks' special coverage on smartphone privacy and security. Check out the whole Privacy and Security series.