In this article:
In this article:
Most fake apps advertise free and unlimited access, ostensibly, to the premium app — but then give you information-stealing malware.
In this article:
In this article:
Cybercriminals design fake apps to look like legitimate apps on the surface. Their goal? Tricking you into pressing “download” so they can flood your device with malware and malicious code, steal your information, or commandeer your device and accounts.
Hackers exploit the widespread appeal of real apps to generate traffic for their fake apps. Take the example of scammers creating fake ChatGPT apps [*]. They advertise free and unlimited access, ostensibly, to the premium app — but then give you information-stealing malware.
If you're worried about malicious apps, you should know how to handle them. Find out how to spot the fakes, what kind of damage they can do, and what you should do if you accidentally download one.
{{show-toc}}
Malicious and fraudulent apps can be difficult to distinguish from real apps, but there are some red flags that can tip you off. You can spot fake apps by looking out for the following warning signs:
An app's size can tell you a lot about its inner workings. If it’s too small, it may be incomplete or missing core functionality.
If it’s too large, an app could be hiding a malicious payload. For reference, the most popular apps for Android devices have an average size of about 60 MB [*], while the top iOS apps average 174 MB [*].
In early 2023, hackers padded the file sizes of fake Android apps with extra zeros to elude antivirus software; large files take more time and resources to scan [*].
Fake apps with compressed files can evade detection as well, since antivirus software can't always unzip them [*].
Scammers capitalize on an app's popularity in different ways, such as copying the app name or developer name or by plagiarizing the app's content.
Cybercriminals want you to download the counterfeit app or think that their copycat app offers the same experience as the real app.
About 35 million people downloaded fake versions of the popular game Minecraft this year [*]. As a result, Google shut down 38 malicious apps that were running adware in the background.
Many fake apps use familiar branding and app icons to con unsuspecting users. In one scam, "Hey WhatsApp" promised new features for WhatsApp users, but it stole their sensitive account information instead [*].
Sometimes, you can identify the frauds by their lackluster branding quality. A fake Midjourney app, for example, used the real app's logo. The typos and grammar mistakes in the description, however, gave it away [*].
Before you download apps, make sure you know what you're getting and from whom you're getting it. Take a close look at the screenshots, release dates, and contact information.
Double-check that there's an adequate app description and official website or even a social media account connected to it.
Without these, the app likely offers zero support or refunds, such as the paid but non-functional “PrintScreen - Fast Screen Grabber” app [*].
Apps with low ratings or a minimal number of downloads should raise red flags. This is especially true if you’re trying to find the real app amongst similarly-named imposters. In most cases, the app with the higher rating and download number is the real one.
Instead of accepting low ratings or even positive reviews at face value, read what users are saying. Reviewers might even save you from fraud or hidden ads [*].
Fake reviews skew app ratings, and their positive feedback can mislead people into downloading these apps [*]. As you investigate apps, look for user complaints or security incident reports.
While app stores work to remove fake and fraudulent apps, the system isn't perfect. Sophos reported earlier this year about how scammers circumvent Apple's App Store review process [*].
They submit an app with standard, benign web content for approval. After the app is approved and published, scammers update the server that is hosting the app to include fraudulent interfaces.
Official app stores like the Google Play Store, Apple App Store, and Amazon App Store have strict developer criteria and guidelines that make these marketplaces relatively safe and trustworthy.
These stores require apps to include comprehensive terms of service, clear contact information, and troubleshooting FAQs before hitting the marketplace.
Apple has rigid control over its products [*] — blocking iPhones from third-party app stores and sideloading [*].
Google fortified its app review process as well [*] — even adding security review badges for app developers [*]. Despite Apple and Google's tight security, third-party app stores remain gateways for malicious apps.
If you see an app with few updates over the years, you would be wise to avoid it. Outdated apps pose security risks because they may be unsupported, malicious, or easy to exploit.
As a result, Google and Apple remove or hide apps that go without updates for up to three years [*]. Apps with frequent but seemingly needless updates may also point to a scammer trying to give the illusion of active support.
While the amount and type of personal information required by an app varies, be careful about any information you share.
Cybercriminals use fake apps as a front to steal contact and credit card information. Some also ask for data that no app should need — a clear sign of a scam.
For example, Apple removed a fake crypto app called “Trezor Wallet Suite” after it requested user seed phrases — the keys for accessing and recovering crypto wallets [*].
Fake apps can dupe you into paying for subscriptions that you don’t need, or sign you up without consent.
For example, fake authenticator apps ask you to pay up to $40 per month for a service that real apps give away for free [*].
Meanwhile, a premium services subscription scam hit more than 100 million app users, secretly subscribing them to services through Direct Carrier Billing (DCB) [*].
Many apps require permissions to function on your device, but not all permissions make sense — and some could put you and your device at risk.
Look at the app privacy label to learn what data the app collects and how it's used. Apps may collect anything from contact and financial information to location and usage data [*].
Granting permissions to fake apps can lead to theft and surveillance. Sometimes, even legitimate apps can have dubious track records with data collection.
In fact, one study found that nearly 80% of the top Android apps had discrepancies between their data collection policies and practices [*].
To expand their customer base, many legitimate premium apps offer free versions with ads — but apps with overly frequent ads might hint at a scam. Ad-heavy apps could infect your device with adware or tether you to phishing websites.
In 2023, Google Play removed a fake USA JOBS app that misled users into thinking that it was connected to the official USAJOBS.gov website. Instead, the app touted fake job listings and bombarded users with ads at every step [*].
Fraudulent apps often lure users by making promises that scammers have no intention of fulfilling. They might offer a well-known service for a discounted rate or guarantee new and improved functionality. Only after you download the app do you realize that you've been tricked.
Many of the fake ChatGPT apps mentioned earlier lure victims in by offering the premium service for free. If an app's offer seems too good to be true, it probably is.
Fake apps can do considerable damage to your computers and mobile devices. They can infect your device with malware, adware, and spam bots.
Or they can help fraudsters gain remote access to your device and track your every move. Here are just some of the dangers that malicious apps present:
Backdoor access
Fake apps use a variety of tactics to prise unauthorized access to your device's system and resources, including malicious code and misleading permissions.
Once they infiltrate, these apps can execute harmful operations, steal from you, and make unauthorized changes. In 2023, Google removed the “iRecorder - Screen Recorder” app for exploiting backdoors that allowed it to take pictures and record audio on user devices [*].
Billing fraud
Malicious app developers can trick your device into signing up for unauthorized subscriptions and charges — a scheme called billing, subscription, or toll fraud.
Apps with malware committing toll fraud can also automatically disable your Wi-Fi connection or furtively connect you to a mobile network [*].
Commercial spyware
Many fake apps come embedded with spyware or fraudulent privacy practices. Apple rejected about 400,000 app submissions last year because of such privacy violations [*].
Once installed, these apps can steal your personal data and send it to a third party without your knowledge.
A Signal app imposter — “Signal Plus Messenger” — did this in 2023 and spied on user communications from the real Signal app [*].
Denial of Service (DoS) or Distributed Denial of Service (DDoS)
Hackers can use apps to involve users in malicious acts, such as the “Updates for Android” app that added users to a DDoS botnet [*].
In this case, the malicious app loaded a JavaScript command that forced infected devices to connect to a target website every second, with the intent to flood the site with traffic and shut down its servers.
Hostile downloaders
Cybercriminals may inject apps with malware capable of downloading malicious apps and code. These hostile downloaders work in stealth and without authorization — stealing your data, memory, resources, and money.
In 2022, analysts found dozens of apps infected with malware that covertly downloaded other malware and unwanted software onto user devices [*].
Phishing
By posing as legitimate apps with legitimate-looking login screens, fake apps steal information from trusting users.
Google Play purged at least six apps impersonating authentic antivirus apps last year [*]. When users input their login and banking information on these credential-stealing apps, their information funnels into a rogue server.
Privilege escalation
Some malicious apps take advantage of permissions and privileges to carry out destructive operations.
For example, a fraudulent productivity app called “Todo: Day Manager” requested administrator permissions [*]. As an administrator, the app blocked users from revoking the permissions and took charge of their data.
Ransomware
Hackers use fake apps to deliver ransomware — malware that compromises data and requests money or information in exchange for its safe return.
CloudSEK researchers found numerous apps embedded with ransomware that scrambled victim files with Advanced Encryption Standard (AES) encryption and deleted them from the local storage [*]. Only victims who paid a ransom could receive the decryption key.
Rooting
Rooting or jailbreaking is the process of bypassing device restrictions and security controls to enable custom installations and settings.
Nearly 20 apps on the Google Play and Samsung Galaxy Store were found to have rooting malware in 2021 [*]. When installed, these apps manipulated device permissions and installed a Settings Storage app that bungled system settings and resources.
Trojan apps
Like so many fake apps, trojan apps appear legitimate but come with hidden dangers. Once installed, these apps release malware and exploit and spy on users.
Cybersecurity analysts have been tracking a major banking trojan called Xenomorph hiding in various banking and cryptocurrency apps [*]. Xenomorph has evolved over time, but it's capable of stealing banking and crypto wallet credentials and funds by using an automated transfer system (ATS).
If you think you've downloaded a fake app, you should act immediately. Protect yourself and your device by following the steps below.
The longer a malicious app stays on your device, the greater the damage it can do.
📚 Related: How To Block Websites on Android (7 Ways) →
While most app permissions get deleted alongside the app, you should still check for lingering access.
Restarting your device clears any processes or apps still running and reboots your device's system and memory.
Even after you delete an app, only antivirus software will tell you what's left behind. For example, Aura's antivirus software — which runs on Macs, Android, and Windows devices — regularly scans, quarantines, and removes all infected files.
The official app stores have reporting systems that flag fake apps for investigation. By reporting an app, you can prevent these scams from hurting you and others in the future.
📚 Related: What Is VPN on iPhones? Why You Need It & How To Turn It On →
Official app stores have robust review and security processes that make it difficult for malicious apps to slip through the cracks.
In 2022 alone, Apple blocked over 1.5 million potentially fraudulent app submissions and over $2 billion in potentially fraudulent transactions [*]. Google added Google Play Protect, which allows you to scan for harmful apps on your device [*].
But neither system is infallible. You still need to perform your own checks and due diligence to avoid fake apps:
Editorial note: Our articles provide educational information for you to increase awareness about digital safety. Aura’s services may not provide the exact features we write about, nor may cover or protect against every type of crime, fraud, or threat discussed in our articles. Please review our Terms during enrollment or setup for more information. Remember that no one can prevent all identity theft or cybercrime.