How To Spot Scams and Malware Apps on Android

By Ryan Whitwam

Some apps are already doing some shady things. Learn how to protect yourself.

Android offers developers a lot of freedom in using a phone's hardware in their apps. While this leads to some really amazing functionality, it can also be a security concern. Google has chosen to run a more open marketplace for apps, and does not hold content up so they can review it first. There is no gatekeeper for the Android Market. All a developer needs to do is pay the $25 developer fee and upload their app to the Android Market. Naturally, this has invited some riffraff to join the party. By looking at an app with a skeptical eye, and checking the permissions, you can avoid apps that are shady, or just plain scams. 


The Market page tells you much

Your first line of defense is to just use common sense. If you're not familiar with an app, give everything a onceover before you install. Herein we'll use a real life example; an app that's managed to hit 10,000 downloads in just one week. The app in question, Android Gaming Network (AGN), is at least shady, but maybe an outright scam, and you can tell something is fishy just by looking at it.  

The market has the option to pull up the other apps submitted by a particular developer. Make sure to look at these apps if you're feeling uneasy. It could be that they develop a well known app, and that can certainly put your mind at ease. It could also be that they develop several other questionable-looking apps. This is information you should have when evaluating an app. 

The Android Market offers a link to the website registered by the developer. If you're feeling weary after looking at the Market comments and other apps, this is the next place to checkout. You can tell a lot about a developer from their site. If it looks like a storefront genuinely meant to promote mobile applications, that's a good thing. A completely unrelated site is not as good. The developer of AGN has a site listed, but when you go there, it's just a blank page with the URL. This isn't what you want to see. 

A developer of reliable apps will want to put their best foot forward. Having a Twitter account is a good way to stay in touch with users. The developer's website should be able to direct you to their Twitter account. Not having a Twitter account is not necessarily a sign of trouble, but if you cannot find a real website, or a twitter account, that is a concern. A developer with no real presence online is suspicious.  

Check the app permissions

 A Twitter client just needs a few permissions

Right under the heading Services that cost you money, you may see the "send SMS" or "send MMS" permission. Most apps don't need the ability to send SMS messages. If you're looking at a game, news, or entertainment app of some sort, it more than likely shouldn't need these permissions. Sending SMS messages to premium rate numbers is a way to charge users surreptitiously, and we think that is how the developer of AGN is doing it. Bottom line, if an app is unexpectedly asking for SMS permissions, be skeptical. 

Next up, look for the Storage header. The subcategory to be aware of here is "modify/delete SD card contents". This permission gives apps full read write access to you SD card. This includes access to your pictures, music, and videos. If you look around in your app permissions, you'll likely notice that many apps actually request this. They often need SD access to store cache, or some sort of downloadable data within the app. Even though it is common, if an app seems shady and wants SD access, you might want to think twice. 

Another permission to watch out for is "read phone state and identity", which you will find under Phone calls. In this context, state means whether or not the phone is placing a call. There are perfectly reasonable circumstances that an app might want to know if you are on a call or not, but this permission also gives access to the unique identifiers of your phone. This includes the IMEI, IMSI, and Google identifier numbers of your handset. This could allow an unscrupulous individual to clone your phone. 

The "full internet access" permission under Network communication is probably the most important permission an app can request. As the name implies, an app with this permission can load any URL and send data at will. The problem is that almost all apps request it. Games that send high score data, for instance, need this permission. Any app that pulls in online content would use it as well. Still, use your best judgment and decide if an app should have this privilege on your phone. There might be time you just don't want to risk it should you already feel uneasy about an app.  

 An automation app like Tasker needs more permissions

The fine GPS location, on the other hand, is more concerning. This permission allows an app to use the GPS ship to know exactly where you are. Unless you're looking at an app that does some sort of location aware searching, or location sharing, this is a red flag. There are very few instances when an app needs to know exactly where you are. 

The vast majority of apps in the Android Market are on the up and up. We're not implying that you need to scrutinize all of them this thoroughly. However, if you're not familiar with an app, and something looks suspicious, don't be afraid to investigate before you install it. By looking into AGN a bit, we found the Market comments claiming premium SMS charges, that the developer website was blank, and that it was asking for strange permissions. It also looks like this developer did much the same thing last week under a different name. Those apps have been removed.

Keeping an eye on the permission of apps you have installed can also be of use, as it will help you better understand what uses the permissions have. To view an app's security information, go to its Market page, and hit menu > security. Currently installed apps also list their permissions in the Manage Applications Settings area as well. Follow these simple best practices, and you should be able to avoid scams and malware on Android with no problem.