๐ŸŸข Beginner Summary

Malicious apps look legitimate and often appear in official app stores. They steal passwords, banking credentials, personal photos, and location data โ€” often while appearing to work normally. Here's how they get through and how to spot them before they reach your phone.

Table of Contents

  1. The scale of the problem
  2. How fake apps get into official stores
  3. What malicious apps do to your data
  4. Case study: FluBot and FakeBank
  5. Red flags before you install
  6. What if you already installed one?
  7. FAQ

The Scale of the Problem

Google removes millions of malicious apps from the Play Store every year. Apple removes hundreds of thousands from the App Store. Yet new ones keep appearing.

The reason: the economics favor the attackers. Creating a convincing fake app takes hours. If it reaches even a thousand downloads before removal, that's a thousand potential victims. Many malicious apps survive for weeks or months before detection.

Common categories for malicious apps:

  • Flashlight apps (that request contacts, SMS, and location)
  • QR code scanners (a perennial favorite for malware)
  • VPN apps (free VPNs that sell your traffic)
  • Photo editors and "beauty filters"
  • Keyboard apps (that can log everything you type)
  • Banking app clones
  • Fake antivirus apps (that actually install malware)
  • Cryptocurrency wallet apps (that steal your coins)

How Fake Apps Get Into Official Stores

Method 1: Appearing Legitimate at Submission

Attackers submit an app that does exactly what it promises โ€” a functional QR scanner, a real flashlight, a working calculator. The app is reviewed by the platform and passes. Then the attacker pushes an update that adds malicious functionality.

Updates receive less scrutiny than initial submissions, giving attackers a window to slip in malicious code after approval.

Method 2: Typosquatting

Creating apps with names nearly identical to popular apps. "WhatsApp Messenger Plus," "Instagram Pro," "Adobe Reader Free," "McAfee Security Scan." Users searching for the real app find the fake instead.

Method 3: Buying Legitimate Apps

An attacker purchases a legitimate app with an existing user base of hundreds of thousands. They then push an update containing malware to all existing users โ€” who receive it automatically because they trusted the app before.

Method 4: Third-Party Stores and Sideloading

On Android, users can install apps outside the Play Store ("sideloading"). Third-party app stores and APK download sites are filled with malicious versions of popular apps โ€” especially pirated versions of paid games.

What Malicious Apps Do to Your Data

Credential Harvesting

Overlay attacks: the malicious app detects when you open a banking app and immediately overlays a fake login screen on top of it. You think you're logging into your bank โ€” you're actually giving your credentials to an attacker.

SMS Interception

Apps with SMS permission can read your incoming text messages โ€” including 2FA codes. This allows attackers to bypass two-factor authentication on your bank or email.

Keylogging

Keyboard apps, accessibility tools, and some other app categories can record everything you type. Every password. Every message. Every search.

Continuous Location Tracking

Location data is valuable โ€” both commercially and for stalkers. Apps with continuous location access can build a detailed picture of everywhere you go.

Photo and Contact Theft

Some malicious apps upload your entire photo library and contact list to attacker-controlled servers. This data is used for blackmail, fraud, and building social engineering profiles.

Case Study: FluBot Banking Trojan

FluBot was one of the most widespread Android banking trojans of 2021-2022, spreading across Europe and Australia.

The attack chain worked like this:

  1. Victims received a text message claiming their package couldn't be delivered, with a link to "track it"
  2. The link led to a page mimicking FedEx or DHL, prompting the user to install an "app" to track the parcel
  3. The app was actually FluBot โ€” it requested Accessibility permissions
  4. With Accessibility access, it could read any app's screen, overlay fake login screens, read SMS messages, and intercept 2FA codes
  5. FluBot also read the victim's contact list and sent the same smishing SMS to every contact โ€” self-propagating like a worm
  6. Banking credentials were stolen and accounts drained

FluBot infected millions of devices before law enforcement took down its infrastructure in 2022.

Red Flags Before You Install

๐Ÿ”ด Check These Before Installing Any App

  • Developer name: Is it the real company? "Meta Platforms, Inc." vs "Meta Platform Inc" โ€” one letter difference can mean fraud
  • Download count: A brand-new app with 5,000 downloads that claims to be WhatsApp is suspicious. Real WhatsApp has billions.
  • Review quality: Watch for reviews that are all 5-stars, posted on the same day, with generic text ("Great app! Works perfectly!")
  • Permissions requested: A flashlight app asking for your contacts, location, and SMS is a massive red flag. Read permissions before installing.
  • App size: A QR scanner that's 200MB is suspicious โ€” legitimate utilities are usually small
  • Last update date: Legitimate apps are regularly updated. An app not updated in years may be abandoned โ€” or may be actively malicious
  • Website: Does the developer have a legitimate, professional website?

What if You Already Installed a Suspicious App?

  1. Uninstall it immediately
  2. Check what permissions it had โ€” if it had SMS access, your 2FA codes may be compromised
  3. Change passwords for any accounts you accessed while it was installed, from a clean device
  4. Check your bank statements for unauthorized transactions
  5. Check your Google/Apple account for new devices โ€” the app may have added a device to your account
  6. Run a security scan with a reputable tool
  7. For severe infections on Android, a factory reset may be the safest option

For broader phone security: How to Protect Your Phone from Hackers

FAQ

Is the App Store (iOS) safer than Google Play?

Historically yes โ€” Apple's stricter review process and the inability to sideload apps (in most regions) reduce malicious app exposure significantly. However, malicious apps do appear in the App Store too, particularly scammy apps that use dark patterns to charge subscription fees.

How can I tell if an app is logging my keystrokes?

Without specialized analysis tools, it's very hard to detect keylogging. Prevention is the best approach: don't install third-party keyboard apps from unknown developers, and regularly audit accessibility permissions.

Are QR code scanners safe to use?

Many are. But QR code scanner apps have historically been vectors for malware. Modern iPhones and newer Android phones can scan QR codes natively through the camera app โ€” use that instead of installing a third-party scanner.

References

  • Europol FluBot press release (2022)
  • Google Android Security Year in Review Reports
  • ESET Mobile Threat Reports
  • Kaspersky Mobile Malware Reports