How To Spot Fake Apps: App Size, Permissions, Source

How Do Fake Apps Work?

Cybercriminals design fake apps to look like legitimate apps on the surface. Their goal? Tricking you into pressing “download” so they can flood your device with malware and malicious code, steal your information, or commandeer your device and accounts.

Hackers exploit the widespread appeal of real apps to generate traffic for their fake apps. Take the example of scammers creating fake ChatGPT apps [*]. They advertise free and unlimited access, ostensibly, to the premium app — but then give you information-stealing malware. 

If you're worried about malicious apps, you should know how to handle them. Find out how to spot the fakes, what kind of damage they can do, and what you should do if you accidentally download one.

{{show-toc}}

Spotting a Fake App: 13 Signs

Malicious and fraudulent apps can be difficult to distinguish from real apps, but there are some red flags that can tip you off. You can spot fake apps by looking out for the following warning signs:

1. Unusually small or large app size

An app's size can tell you a lot about its inner workings. If it’s too small, it may be incomplete or missing core functionality. 

If it’s too large, an app could be hiding a malicious payload. For reference, the most popular apps for Android devices have an average size of about 60 MB [*], while the top iOS apps average 174 MB [*]. 

In early 2023, hackers padded the file sizes of fake Android apps with extra zeros to elude antivirus software; large files take more time and resources to scan [*]. 

Fake apps with compressed files can evade detection as well, since antivirus software can't always unzip them [*].

2. Dubious or copycat app title and developer

Scammers capitalize on an app's popularity in different ways, such as copying the app name or developer name or by plagiarizing the app's content.

Cybercriminals want you to download the counterfeit app or think that their copycat app offers the same experience as the real app.

About 35 million people downloaded fake versions of the popular game Minecraft this year [*]. As a result, Google shut down 38 malicious apps that were running adware in the background.

3. Low-quality branding and icons

Many fake apps use familiar branding and app icons to con unsuspecting users. In one scam, "Hey WhatsApp" promised new features for WhatsApp users, but it stole their sensitive account information instead [*].

Sometimes, you can identify the frauds by their lackluster branding quality. A fake Midjourney app, for example, used the real app's logo. The typos and grammar mistakes in the description, however, gave it away [*].

4. Lack of information

Before you download apps, make sure you know what you're getting and from whom you're getting it. Take a close look at the screenshots, release dates, and contact information.

Double-check that there's an adequate app description and official website or even a social media account connected to it. 

Without these, the app likely offers zero support or refunds, such as the paid but non-functional “PrintScreen - Fast Screen Grabber” app [*].

5. Poor download count, user ratings, and reviews

Apps with low ratings or a minimal number of downloads should raise red flags. This is especially true if you’re trying to find the real app amongst similarly-named imposters. In most cases, the app with the higher rating and download number is the real one. 

Instead of accepting low ratings or even positive reviews at face value, read what users are saying. Reviewers might even save you from fraud or hidden ads [*].

6. Complaints on web search results

Fake reviews skew app ratings, and their positive feedback can mislead people into downloading these apps [*]. As you investigate apps, look for user complaints or security incident reports. 

While app stores work to remove fake and fraudulent apps, the system isn't perfect. Sophos reported earlier this year about how scammers circumvent Apple's App Store review process [*]. 

They submit an app with standard, benign web content for approval. After the app is approved and published, scammers update the server that is hosting the app to include fraudulent interfaces.

7. Unofficial download source

Official app stores like the Google Play Store, Apple App Store, and Amazon App Store have strict developer criteria and guidelines that make these marketplaces relatively safe and trustworthy.

These stores require apps to include comprehensive terms of service, clear contact information, and troubleshooting FAQs before hitting the marketplace.

Apple has rigid control over its products [*] — blocking iPhones from third-party app stores and sideloading [*]. 

Google fortified its app review process as well [*] — even adding security review badges for app developers [*]. Despite Apple and Google's tight security, third-party app stores remain gateways for malicious apps.

8. Too many app updates or none at all

If you see an app with few updates over the years, you would be wise to avoid it. Outdated apps pose security risks because they may be unsupported, malicious, or easy to exploit. 

As a result, Google and Apple remove or hide apps that go without updates for up to three years [*]. Apps with frequent but seemingly needless updates may also point to a scammer trying to give the illusion of active support.

9. Unnecessary requests for personal information

While the amount and type of personal information required by an app varies, be careful about any information you share.

Cybercriminals use fake apps as a front to steal contact and credit card information. Some also ask for data that no app should need — a clear sign of a scam.

For example, Apple removed a fake crypto app called “Trezor Wallet Suite” after it requested user seed phrases — the keys for accessing and recovering crypto wallets [*].

10. Forced subscriptions

Fake apps can dupe you into paying for subscriptions that you don’t need, or sign you up without consent.

For example, fake authenticator apps ask you to pay up to $40 per month for a service that real apps give away for free [*]. 

Meanwhile, a premium services subscription scam hit more than 100 million app users, secretly subscribing them to services through Direct Carrier Billing (DCB) [*].

11. Needless app permissions

Many apps require permissions to function on your device, but not all permissions make sense — and some could put you and your device at risk.

Look at the app privacy label to learn what data the app collects and how it's used. Apps may collect anything from contact and financial information to location and usage data [*]. 

Granting permissions to fake apps can lead to theft and surveillance. Sometimes, even legitimate apps can have dubious track records with data collection.

In fact, one study found that nearly 80% of the top Android apps had discrepancies between their data collection policies and practices [*]. 

12. Excessive in-app ads

To expand their customer base, many legitimate premium apps offer free versions with ads — but apps with overly frequent ads might hint at a scam. Ad-heavy apps could infect your device with adware or tether you to phishing websites. 

In 2023, Google Play removed a fake USA JOBS app that misled users into thinking that it was connected to the official USAJOBS.gov website. Instead, the app touted fake job listings and bombarded users with ads at every step [*].

13. Unrealistic promises

Fraudulent apps often lure users by making promises that scammers have no intention of fulfilling. They might offer a well-known service for a discounted rate or guarantee new and improved functionality. Only after you download the app do you realize that you've been tricked. 

Many of the fake ChatGPT apps mentioned earlier lure victims in by offering the premium service for free. If an app's offer seems too good to be true, it probably is.

Why Are Such Apps So Dangerous?

Fake apps can do considerable damage to your computers and mobile devices. They can infect your device with malware, adware, and spam bots. 

Or they can help fraudsters gain remote access to your device and track your every move. Here are just some of the dangers that malicious apps present:

Backdoor access

Fake apps use a variety of tactics to prise unauthorized access to your device's system and resources, including malicious code and misleading permissions.

Once they infiltrate, these apps can execute harmful operations, steal from you, and make unauthorized changes. In 2023, Google removed the “iRecorder - Screen Recorder” app for exploiting backdoors that allowed it to take pictures and record audio on user devices [*].

Billing fraud

Malicious app developers can trick your device into signing up for unauthorized subscriptions and charges — a scheme called billing, subscription, or toll fraud.

Apps with malware committing toll fraud can also automatically disable your Wi-Fi connection or furtively connect you to a mobile network [*].

Commercial spyware

Many fake apps come embedded with spyware or fraudulent privacy practices. Apple rejected about 400,000 app submissions last year because of such privacy violations [*].

Once installed, these apps can steal your personal data and send it to a third party without your knowledge.

A Signal app imposter — “Signal Plus Messenger” — did this in 2023 and spied on user communications from the real Signal app [*].

Denial of Service (DoS) or Distributed Denial of Service (DDoS)

Hackers can use apps to involve users in malicious acts, such as the “Updates for Android” app that added users to a DDoS botnet [*]. 

In this case, the malicious app loaded a JavaScript command that forced infected devices to connect to a target website every second, with the intent to flood the site with traffic and shut down its servers.

Hostile downloaders

Cybercriminals may inject apps with malware capable of downloading malicious apps and code. These hostile downloaders work in stealth and without authorization — stealing your data, memory, resources, and money.

In 2022, analysts found dozens of apps infected with malware that covertly downloaded other malware and unwanted software onto user devices [*].

Phishing

By posing as legitimate apps with legitimate-looking login screens, fake apps steal information from trusting users. 

Google Play purged at least six apps impersonating authentic antivirus apps last year [*]. When users input their login and banking information on these credential-stealing apps, their information funnels into a rogue server.

Privilege escalation

Some malicious apps take advantage of permissions and privileges to carry out destructive operations.

For example, a fraudulent productivity app called “Todo: Day Manager” requested administrator permissions [*]. As an administrator, the app blocked users from revoking the permissions and took charge of their data.

Ransomware

Hackers use fake apps to deliver ransomware — malware that compromises data and requests money or information in exchange for its safe return.

CloudSEK researchers found numerous apps embedded with ransomware that scrambled victim files with Advanced Encryption Standard (AES) encryption and deleted them from the local storage [*]. Only victims who paid a ransom could receive the decryption key.

Rooting

Rooting or jailbreaking is the process of bypassing device restrictions and security controls to enable custom installations and settings. 

Nearly 20 apps on the Google Play and Samsung Galaxy Store were found to have rooting malware in 2021 [*]. When installed, these apps manipulated device permissions and installed a Settings Storage app that bungled system settings and resources.

Trojan apps

Like so many fake apps, trojan apps appear legitimate but come with hidden dangers. Once installed, these apps release malware and exploit and spy on users.

Cybersecurity analysts have been tracking a major banking trojan called Xenomorph hiding in various banking and cryptocurrency apps [*]. Xenomorph has evolved over time, but it's capable of stealing banking and crypto wallet credentials and funds by using an automated transfer system (ATS).

What To Do If You Come Across Fake Apps

If you think you've downloaded a fake app, you should act immediately. Protect yourself and your device by following the steps below.

Delete the app

The longer a malicious app stays on your device, the greater the damage it can do.

• Deleting iOS apps: From the home screen, click on and hold the app you want deleted. Click on Remove App and then Delete App. From your App Library, click on and hold the app, and click on Delete App and then Delete. 
• Deleting Android apps: In the Google Play Store App, click on your Profile icon and then select Manage apps & devices. From there, click on Manage and then choose the fake app. Click on Uninstall.

📚 Related: How To Block Websites on Android in 2023 (7 Ways) →

Check your permissions

While most app permissions get deleted alongside the app, you should still check for lingering access.

• Checking permissions on iOS: In your device Settings, click on Privacy & Security. Here, you'll find all the access categories and the apps that have permissions, which you can revoke.
• Checking permissions on Android: In your device Settings, click on Security and privacy. Then click on Privacy and Permission Manager to see your access categories and to revoke app permissions. 

Restart your device

Restarting your device clears any processes or apps still running and reboots your device's system and memory.

• Restarting your iPhone: Press and hold the side button and one of the volume buttons at the same time. Drag the Power-off slider to restart the device. 
• Restarting your Android phone: Depending on your Android device, you can restart by holding down the power button by itself or with one of the volume buttons. Then click on Restart. 

Run an antivirus scan

Even after you delete an app, only antivirus software will tell you what's left behind. For example, Aura's antivirus software — which runs on Macs, Android, and Windows devices — regularly scans, quarantines, and removes all infected files.

• How to run Aura's antivirus scan. Open the Aura desktop or mobile app and ensure that the Auto-scan toggle is turned on. You can also click on the hamburger icon and select Antivirus. Here, you can click on Scan Now and review your Scan History. 

Report the fake app

The official app stores have reporting systems that flag fake apps for investigation. By reporting an app, you can prevent these scams from hurting you and others in the future.

• Reporting a fake iOS app: From the Apple App Store, select the fake app and click on Report a Problem. You can then click on Report a scam or fraud from the drop-down menu. 
• Reporting a fake Android app: From the Google Play Store, select the fake app and click on the three dots in the top right corner. Choose Flag as inappropriate and follow the steps.

📚 Related: What Is VPN on iPhones? Why You Need It & How To Turn It On →

Avoiding Fake Apps Altogether

Official app stores have robust review and security processes that make it difficult for malicious apps to slip through the cracks. 

In 2022 alone, Apple blocked over 1.5 million potentially fraudulent app submissions and over $2 billion in potentially fraudulent transactions [*]. Google added Google Play Protect, which allows you to scan for harmful apps on your device [*]. 

But neither system is infallible. You still need to perform your own checks and due diligence to avoid fake apps:

• Investigate every app, including its privacy and data collection policies.
• Regularly update your devices and apps to include the latest software. 
• Set up two-factor authentication (2FA) on all accounts.
• Do not interact with suspicious pop-ups. 
• Use a virtual private network (VPN) to hide your IP address and transferred data.
• Ignore unprompted links in text messages and emails.
• Stay informed about the latest scams and fake apps.
• Remove strange and unfamiliar apps.
• Run regular antivirus scans.
• Review apps from time to time to spot unauthorized changes. 

Try Aura for free. Cancel anytime during your 14-day trial →