Tested News

RSS

How To Spot Scams and Malware Apps on Android

Some apps are already doing some shady things. Learn how to protect yourself.

By Ryan Whitwam  |  Sept. 2, 2010

Android offers developers a lot of freedom in using a phone's hardware in their apps. While this leads to some really amazing functionality, it can also be a security concern. Google has chosen to run a more open marketplace for apps, and does not hold content up so they can review it first. There is no gatekeeper for the Android Market. All a developer needs to do is pay the $25 developer fee and upload their app to the Android Market. Naturally, this has invited some riffraff to join the party. By looking at an app with a skeptical eye, and checking the permissions, you can avoid apps that are shady, or just plain scams. 
 
Head past the jump to find out. 
 

The Market page tells you much

Your first line of defense is to just use common sense. If you're not familiar with an app, give everything a onceover before you install. Herein we'll use a real life example; an app that's managed to hit 10,000 downloads in just one week. The app in question, Android Gaming Network (AGN), is at least shady, but maybe an outright scam, and you can tell something is fishy just by looking at it.  

Job one is to check the comments on an app to look for suspicious behavior. The wisdom of crowds is of real use in this instance. AGN, for instance, has over 200 Market reviews, most of them positive. If you look closer, you can tell something is wrong. Many of the reviews were clearly written by the same person. They have the same grammar and say mostly the same things. This is a big red flag for any app. In fact, in this app's comments, there are some real people offering words of warning. This free app charges you $10 a month if you're not careful.  

The market has the option to pull up the other apps submitted by a particular developer. Make sure to look at these apps if you're feeling uneasy. It could be that they develop a well known app, and that can certainly put your mind at ease. It could also be that they develop several other questionable-looking apps. This is information you should have when evaluating an app. 

The Android Market offers a link to the website registered by the developer. If you're feeling weary after looking at the Market comments and other apps, this is the next place to checkout. You can tell a lot about a developer from their site. If it looks like a storefront genuinely meant to promote mobile applications, that's a good thing. A completely unrelated site is not as good. The developer of AGN has a site listed, but when you go there, it's just a blank page with the URL. This isn't what you want to see. 

A developer of reliable apps will want to put their best foot forward. Having a Twitter account is a good way to stay in touch with users. The developer's website should be able to direct you to their Twitter account. Not having a Twitter account is not necessarily a sign of trouble, but if you cannot find a real website, or a twitter account, that is a concern. A developer with no real presence online is suspicious.  

Check the app permissions

 A Twitter client just needs a few permissions
 A Twitter client just needs a few permissions
This is perhaps the most important thing to do when you're unsure about an app. Android makes developers register system permissions for their apps to interact with the phone. By going down the list, you can tell what an app is going to do. Depending on the type of app, some permissions may stick out like a sore thumb. First, you have to know which permissions to look out for. 

Right under the heading Services that cost you money, you may see the "send SMS" or "send MMS" permission. Most apps don't need the ability to send SMS messages. If you're looking at a game, news, or entertainment app of some sort, it more than likely shouldn't need these permissions. Sending SMS messages to premium rate numbers is a way to charge users surreptitiously, and we think that is how the developer of AGN is doing it. Bottom line, if an app is unexpectedly asking for SMS permissions, be skeptical. 

Next up, look for the Storage header. The subcategory to be aware of here is "modify/delete SD card contents". This permission gives apps full read write access to you SD card. This includes access to your pictures, music, and videos. If you look around in your app permissions, you'll likely notice that many apps actually request this. They often need SD access to store cache, or some sort of downloadable data within the app. Even though it is common, if an app seems shady and wants SD access, you might want to think twice. 

Another permission to watch out for is "read phone state and identity", which you will find under Phone calls. In this context, state means whether or not the phone is placing a call. There are perfectly reasonable circumstances that an app might want to know if you are on a call or not, but this permission also gives access to the unique identifiers of your phone. This includes the IMEI, IMSI, and Google identifier numbers of your handset. This could allow an unscrupulous individual to clone your phone. 

The "full internet access" permission under Network communication is probably the most important permission an app can request. As the name implies, an app with this permission can load any URL and send data at will. The problem is that almost all apps request it. Games that send high score data, for instance, need this permission. Any app that pulls in online content would use it as well. Still, use your best judgment and decide if an app should have this privilege on your phone. There might be time you just don't want to risk it should you already feel uneasy about an app.  

 An automation app like Tasker needs more permissions
 An automation app like Tasker needs more permissions
Lastly, check for the Your location section, and see if the app asks for either fine (GPS), or coarse (network-based) locations. Many apps ask for coarse location access, and this is maybe a little off-putting, but not the end of the world. Coarse cell network locations are usually off by a few blocks. Some developers use this to know what general vicinity their users are in. Still, if you value your privacy, you don't need to install these apps if you can't think of a valid reason for it to track you. 

The fine GPS location, on the other hand, is more concerning. This permission allows an app to use the GPS ship to know exactly where you are. Unless you're looking at an app that does some sort of location aware searching, or location sharing, this is a red flag. There are very few instances when an app needs to know exactly where you are. 

The vast majority of apps in the Android Market are on the up and up. We're not implying that you need to scrutinize all of them this thoroughly. However, if you're not familiar with an app, and something looks suspicious, don't be afraid to investigate before you install it. By looking into AGN a bit, we found the Market comments claiming premium SMS charges, that the developer website was blank, and that it was asking for strange permissions. It also looks like this developer did much the same thing last week under a different name. Those apps have been removed.

Keeping an eye on the permission of apps you have installed can also be of use, as it will help you better understand what uses the permissions have. To view an app's security information, go to its Market page, and hit menu > security. Currently installed apps also list their permissions in the Manage Applications Settings area as well. Follow these simple best practices, and you should be able to avoid scams and malware on Android with no problem.
17 Comments
Bowlbyon Sept. 2, 2010 at 6:16 a.m.
Great article. :)
TheAdminon Sept. 2, 2010 at 6:19 a.m.
This is why I don't want an Android phone.
ALavaPenguinon Sept. 2, 2010 at 7:20 a.m.
Hmm this just made me very uninterested in an android phone and made me appreciate the screening apple does on apps.  If only they would get rid of those stupid apps that "increase your 3g power" and stuff
lane moderator on Sept. 2, 2010 at 7:35 a.m.
tl;dr - rub two brain cells together for a second before installing anything, same as every other computing platform.
 
E: Not to dismiss this article, but it's stuff like this that gives Android a bad name. It'd be just as easy to install something nasty on an iPhone, as recent news has proved. At least Android lists the system resources the app wants to use. Don't be a moron and you'll be fine.
Diabloshadowon Sept. 2, 2010 at 7:37 a.m.
@TheAdmin:@ALavaPenguin:  But the problem I have with apple is that they do a little too much screening. And even here, while I can understand that the average person with an android phone might end up getting in some trouble, alot of these things are common sense, just checking out someones site or googling the app itself to find some information on it isn't really that much of a hassle.
simianon Sept. 2, 2010 at 8:54 a.m.
Sounds advise I must say. A lot of it is common sense of course but some of the descriptions of the permissions is always nice to have laid out for you.
I rarely ever go into the AM and download random apps. The things I do grab usually come from review sites or trusted sources.
Kevin479on Sept. 2, 2010 at 10:06 a.m.
This is why I love Tested.  My mother-in-law and wife both have Android phones and I'm always concerned about their ability to distinguish between scams and real apps. All I have to do is have them read this and that will help educate them to make wise choices, and save me headaches.  Yay for Tested!!!
sbhustedon Sept. 2, 2010 at 10:23 a.m.
If you think Apple's vetting is something significant that can prevent malware, you better do a little investigation on the camera app they yanked as an example of how it's not as "safe" as you think it is.  It obviously wasn't that intense to catch the hidden functions in that app.  The same things can happen regardless of the platform.    
RichardAshleyon Sept. 2, 2010 at 11:41 a.m.
Awesome article. I am android app STEALIDENTITY can I please access your SSN? I can, awesome thanks. I know that it's not always that easy to tell a fake app from a false one which is really disconcerting to me. I get nervous that droids are available to the general public considering that a large populaces can barely use a computer.I know that apple does to much screening of the apps, but in the long run isn't that better then having everyone with an android be super vulnerable to viruses?
nailerron Sept. 2, 2010 at 5:40 p.m.
I want to win that android figu... oh..
m1ndtr1pon Sept. 2, 2010 at 7:25 p.m.
Its not as big a deal as the article and some of you commenters are making it out to be. I'm not saying there is absolutely zero chance of this happening, but it has just as much chance of happening on iPhones as well, probably more considering the app store does not mention what functions the app is accessing... Making a malicious app within a legit app is fairly easy and has been done many times before in the app store, so iPhone users aren't any safer.
 
It all come down to common sense... If you blindly install apps without reading anything about it, or what people have to say about it, then yea, stuff like this will happen. It's no different than using a computer, Mac or PC.  But as usual, some cannot be bothered to even read, those people probably shouldn't be using smartphones in the first place... I hate the fact that smartphones have become a trend, everyone and their mothers have one now and I bet the majority don't even know how to use it properly, or even come close to using 1/10th of what they're capable of, they only want one because its "cool", "hip" or because its made by Apple and they MUST have ALL Apple products...
ryanw staff on Sept. 2, 2010 at 9:27 p.m.
@m1ndtr1p: I don't think I'm really making it out to be a big deal. This is just an exploration of best practices. It can't hurt for people to be aware of possible risks. When home computers became common in the 90s, a lot of people skipped the security tutorials. I'm just hoping that everyone is a little more careful as mobile devices proliferate. 
mushipkwon Sept. 2, 2010 at 11:42 p.m.
More articles to be safe when downloading apps 
1. Things To Consider Before Downloading Apps From Android Market 
2. Use Permissions To  Secure Your Private Data From Android Apps
Addfwynon Sept. 3, 2010 at 12:27 a.m.
So there's really no screening process at all for the Android marketplace?  I'm not sure how I feel about that.  Apple certainly is a bit too draconian with their screening policies, but can't there be some middle-ground between the wild west of app uploads and the police state iTunes store?  I think if I HAVE to choose between the two, I'd prefer the police state model...but can't we get somewhere in between?  I think most people would be okay with that.  Not Apple's "we don't like this so we won't approve it" style, but maybe just have some screening with a few major flags to look out for.  "This is obviously spyware or malware, so we won't approve it" type thing.  
ryanw staff on Sept. 4, 2010 at 4:30 p.m.
@Addfwyn: Google does have the ability to remove things from the Market, but there is no pre-approval process. If something is really malicious, they can even remotely remove it from phones.
Vistion Sept. 5, 2010 at 4:19 a.m.
@TheAdmin said:
" This is why I don't want an Android phone. "  
 
Is it also why you don't want a computer?
Majkiboyon Sept. 5, 2010 at 6:32 p.m.
oh noes, i don't want a computer because i can get scammed!
Popular News
How To Rip DVDs to Play on Any Device—For Free!

Our ultimate DVD copying guide shows you how to use Handbrake to rip discs for playback on your laptop, Xbox, PS3, iPhone, Zune, netbook, iPad, PSP, iPod, and pretty much anything else

Tested: Apple Mac OS X Lion

The $30 upgrade from Snow Leopard seems like a no-brainer, but that's not the full story. Read the official Tested review.
Apple iPad 2 Review

Our definitive review of the iPad 2.
Tested: Nvidia GeForce GTX 580 Video Card

The green machine comes back swinging.
Apple iPad Wi-Fi Review

Apple's device isn't magical, but it is going to make the tablet a real category--for better or for worse

Video: How To Build the Best $1500 Gaming PC, Step-by-Step

Do you like saving money? What about playing PC games? Have you ever considered building your own PC? We show you exactly what you need to know to build an awesome $1500 gaming PC.
How To Build an Awesome $500 Windows Home Server

We pick the best parts to build a lean media backup and streaming machine.
The Best Android Phone for Your Network (February 2011)

Don't get locked in with the wrong phone.
Living with Technology: Building My Annual Production PC

Is in January yet? Then it’s time for a new production system. Here's what Loyd put in his daily work and gaming rig.
Report: 2GHz Samsung Tablet with 2560x1600 Display at MWC This Month

In one month, the first ARM Cortex-A15 device could be unveiled. Sounds like Samsung will be going all out.
The Best Android Smartphone for Your Network (January 2012)

Can you wait for the next big thing, or is it time to settle?
How Android OEMs Miss the Mark with TV Commercials

A one minute Super Bowl commercial is wasted if the ad doesn't win any converts.
Will These Be the Major Technology Trends of 2012?

A design firm predicts the course of technology for 2012. These are big-picture ideas, not products: you won't find smart fridges or smartphones on the list.
AMD Radeon 7950 Benchmarks Measure Up to GTX 580 Performance

The second-tier 7000 series card offers cooler, quieter performance than the GTX 580 of 2011, but performance between the two is competitive, depending on the game.
How Security Cameras Can Provide Anonymous Shopper Statistics

A video processing company takes security camera footage and turns it into useful data for retailers.
Intel Updates Sandy Bridge Family with 7 New Desktop CPUs

Sandy Bridge gets seven new processors, including a trio of i5 CPUs without built-in HD graphics.
Living with Technology: Building My Annual Production PC

Is in January yet? Then it’s time for a new production system. Here's what Loyd put in his daily work and gaming rig.
Kinect for Windows Launches, Here's How it Differs from Xbox

Kinect for Windows leaves beta, gets an official retail release and a new and improved SDK.
Windows Phone 8 "Apollo" Features Revealed in Insider Video

Pocketnew spills some juicy secrets on the Apollo Windows Phone 7 update, due out late this year. Windows Phone 7 becomes Windows Phone 8.
How Many In-Store Shoppers Actually Check Prices Using Their Phones?

A new study looks at how the ability to compare in-store and online prices affects purchasing decisions.
Neil Young Worked with Steve Jobs on 24-Bit Audio Standard

A famous CEO and a famous musician talked about music, compression and a potential 24-bit iPod.
Report: 2GHz Samsung Tablet with 2560x1600 Display at MWC This Month

In one month, the first ARM Cortex-A15 device could be unveiled. Sounds like Samsung will be going all out.
Here's What's New in Mozilla's Just-Released Firefox 10

Firefox 10 has moved out of beta and into full release. Here's what's different that you should care about.
Microsoft Tweaks Windows 8 File Management Due to User Feedback

In the first of a series of posts based on customer feedback, Microsoft lists some tweaks made to Explorer, the Ribbon, and copying files.
help  |  terms and conditions  |  privacy  |  advertise  |  rss