Just because an application comes from an “official” store, that doesn’t mean it’s safe. The Google Play Store has been in the news so many times now that their security policies have been called into question on multiple occasions.
The most recent scare from the Play Store is a whole series of apps that are actually quite popular, and indeed even functional. They’re disguised as useful tools such as currency calculators and device cleaners, and are further obfuscated by the fact that they actually work as advertised. They even have rather high review ratings. Lurking behind these applications, however, is a very nasty banking trojan known as Anubis.
The long and short of it is, it checks for well-known banking apps on your Android phone or tablet, and then records your screen when you enter your login information. It then locks you out of your device and makes it completely unusable. At that point, breaking into your checking and savings account from just about anywhere is a very simple matter.
This is only the latest example of severe malware that’s been allowed to propagate on an official application store. So, if you can’t trust the stores and your device is pretty much useless without apps, how in the world do you discover and download apps safely? Here is some advice.
Avoid Installing Apps from Unknown Sources
We just stated that apps from the app store can be just as dangerous as those downloaded from the wild. That being said, some security is better than none. While the above-mentioned malware wasn’t detectable by Google, Google’s “Play Protect” runs automatically whenever you download something from their Play Store. Again, this feature isn’t a catch-all, and some of the most news-worthy incidents have come from apps downloaded directly from the store. But it’s still better than nothing, and it’s not nearly as bad as downloading outside of the store. As a result, this is still safety precaution number one.
To check the status of Play Protect on your device, open the Play Store and tap “Menu,” then “Play Protect.” Then check the section that says “Recently scanned apps” and switch on the “Improve harmful app detection” option to send unknown apps to Google for further review.
Read the App’s Summary and Description
How “professional” does the app’s description on the store page look? Does it describe in detail all the major features and how they work, or does it simply make a list of claims? Does it include a feedback link? (It should.) Are there a lot of grammar and spelling errors?
These things may seem trivial, but they’re signs to watch for. Notice the screenshot previews, too. Are they actually useful pictures, or are they generic? Are they stolen from a legitimate listing somewhere and kept vague?
Read the App’s Reviews
Again, this would not have helped with the above-mentioned news story. As a general rule, always, ALWAYS read through the reviews before downloading an application. Public opinion can usually give you a good sense of whether an app is safe to use or not. While this wasn’t the case for the Anubis trojan, it’s still a very good practice to follow to help weed out some of the more common bad actors. To get a more accurate read for yourself, change the review filter from “most helpful first” to “newest first.”
Don’t blindly trust the reviews, however. The review system is far from perfect, and many developers actually buy “fake” reviews. Signs to look for are whether or not some of the reviews actually contain legitimate problems, such as a partially broken feature. A less-than-perfect rating here and there, rather than a generic five-star score over and over again with vague or little to no input, is likely more credible. An honest developer is more likely to respond to reviews, too.
Compare the App’s Release Date to the Number of Downloads
If the app is practically brand new and is from a tiny developer, it should not have 50,000,000+ downloads. This could very well be an indication of fake downloads.
Read the App’s Permissions
Should a calculator need access to your contact list? Should a flashlight be allowed to store data on your SD card? The answers of course are a resounding “no.” If the application requires access for things that have very little to do with the actual alleged function of the app, that should immediately be a red flag and prompt you to reconsider trusting it.
It’s unfortunate, but it’s a veritable “Wild West” out there right now. Until better protections are put into place, it’s largely up to the user to be as cautious and informed as possible. It’s a tremendous burden to expect of the average person. V2 Systems can at least shoulder some of that burden.
Since 1995, Manassas Park, VA-based V2 Systems has employed local systems administrators, network engineers, security consultants, help desk technicians and partnering companies to meet a wide range of clients’ IT needs, from research, to implementation, to maintenance. Concentrate on your VISION…We’ll handle the TECHNOLOGY!