With all the apps in the world popping up here, begging for your attention there, and promising you the world everywhere, it’s sometimes tough to know what’s real, what’s fake, and what’s downright dangerous. In some cases, particularly creative and aggressive hackers spoof big-time publishers in their quest to gain and exploit your information.
It should be borne in mind, however, that getting copies and updates directly from the Google Play Store is the best way to combat the phony apps. All it takes is a little diligence on the part of users to check an app’s history and the location from which it comes. Remember, although malicious apps sometimes do show up in the app listings in the Play Store (mostly Chinese apps turned out to be dangerous), they’re not part of major apps like Facebook and Twitter. They’re just separate malicious apps. If you ensure that you update all of your major apps directly from the Play Store, it’s very unlikely that you will accidentally download a malicious app.
In some cases, apps might seem to be phishing when they’re really not. For example, if you downloaded a nifty keyboard app, it might ask you to allow it to recognize everything you type. No, it’s not a keylogger installed by some teenager in a foreign internet cafe looking to empty your bank account. It’s just the keyboard app asking to know what you type so that it can function as a keyboard.
The biggest players will often require many app permissions. A free app might be spying on you, most probably for better ad targeting and other marketing purposes, it is your decision to live with. E.g. Facebook app for Android requests the following permissions: i, read your text messages (SMS or MMS), ii, download files without notification, iii, read/write your contacts, iv, add or modify calendar events and send email to guests without owners’ knowledge, v, read calendar events plus confidential information. These permission requests would be more than suspicious in the case of a less known app, while you can be sure that Facebook will not read your SMS to look for the cvc code of your Visa card. But they surely use your data to explore your social network and for laser-targeted ads.
How Can You Tell When a Question is Legit and When It’s Not?
Android apps all operate in what are known as “process sandboxes.” Nothing is shared between apps unless the user has given permission either directly or indirectly. There usually has to be a reason why an app needs to share data with another app. In the keyboard app example, you have to share what you actually type because the app is supposed to be a keyboard. That’s a great example of the litmus test: “Is this app safe?” To apply the test, simply ask yourself the following question: “Is the permission this app is seeking germane to the function of the app, or is it extraneous?” Another example would be a photo sharing app that asks permission to access all your stored photos.
There are a few things to look out for as real signs something’s fishy. Here’s a list of permissions that should make you wary:
- Show alerts as system level
- Modify global settings
- Download files without notification.
For the full list of the dangerous app permissions, check out Table 1 on the official site of Android developers: https://developer.android.com/guide/topics/security/permissions.html
Keep in mind, too, that malicious apps sometimes ask permissions for things that safe apps also do. For example, let’s say you download an app that will allow you to share a photo with everyone in your contacts list at the same time. A legitimate Android app will always ask you for permission to do that before doing it. A malicious app won’t ask for permission if it can already use your data.
The Bottom Line
To stay safe, keep away from sites you don’t know that peddle apps that seem too good to be true. Also, avoid sites that provide cheap apps that mimic other apps for which you might have to pay. Remember, Play Store is on your side when it comes to phishing and malware. Even if you think they’re just protecting their profits instead of really caring about you, the fact that they try to keep malware away from you is a good enough reason to have faith in them.