The cybersecurity risks surrounding the official Android app store, Google Play, have come into sharp focus over the last few months, as the scale of malware-laden apps available for download has been revealed. These counterfeit or ‘fake’ apps are being increasingly used by hackers to compromise devices with malware or steal user data.

As these risks emerge, it’s vital for users to be aware of the dangers and know how to protect themselves. To help you stay on your guard and keep your personal data safe from cyber-criminals, the team at ESET has provided a guide to the latest Google Play and Android app incidents, and tips on how to spot a fake.

The emerging risks of Google Play & app downloads

In August, ESET researchers discovered spyware built on the AhMyth open-source malware that had evaded Google Play’s app-vetting process. The malicious app, called Radio Balouch aka RB Music, is a radio streaming app for Balouchi music that  collects the personal data of its users without their knowledge or consent. The app was successfully uploaded to Google Play twice, and was quickly removed by Google both times, but only after ESET raised the alarm.

This wasn’t the first such incident, and it won’t be the last. ESET’s Lukas Stefanko, supported by various other researchers, found 172 harmful apps available for download in September. These apps had been downloaded almost 336 million times.

In June, University of Sydney researchers analysed over one million Google Play apps and found over 2,000 counterfeits, including impersonations of the highly popular games Temple Run, Free Flow, and Hill Climb Racing.

Google has managed these threats by removing malicious apps and introducing additional security control checks in its attempt to reduce further bypasses of its app-vetting process. But even as Google reacts and adapts, one key concern remains: Cybercriminals will also continue to react and adapt, evolving their malware in order to continue sneaking past the platform’s safeguards.

So what does this mean for users?

Staying secure when downloading apps & games

To keep private data protected from evolving malware threats, users need to exercise extreme caution and maintain strong cybersecurity habits when downloading games and apps onto their digital devices.

  1. Do your research

If you want to download a new app, do some homework on it first. Check its source and on which platforms and in which countries it has been officially released. Threat actors often target countries or platforms where popular apps haven’t yet been released, making it easier to impersonate a trusted brand.

Doing such research does not mean searching Google Play for your best guess at the app name, but rather using some other search engine (or, perhaps better, multiple other search engines). Find the official homepage of the developer of the app and then locate the official Google Play link for the app. If the search suggests there is no official version for Android, or in your language, or for your country or region, then do not take a chance on the apparent hits on third-party app sites – remember, if something seems too good to be true, it probably is!

  1. Keep your operating systems and apps updated

Outdated software can provide an array of vulnerabilities for cybercriminals to attack. To avoid a breach, it’s vital to ensure all your devices’ operating systems, security software and apps are properly installed and kept fully up-to-date. That way, even if you accidentally install a malicious app, your smartphone’s security system or Google Play Protect will remove it in an update. Check that automatic updates are enabled for all your Android devices and security settings are optimally set.

  1. Watch out for cross-market fakes

Some apps are only officially released in one app market – for example, only for Android phones in Google Play, or only for iPhones in the Apple Store, or only for devices within a specific country or region. Cross-market fake apps take advantage of the fact that many users won’t realise that the app they’re looking for hasn’t been released for both OSes or in their regional market. Cybercriminals will create fake apps, masquerading as the real thing, to appear available in the market or region that was left out.

Don’t accidentally download an app from Google Play that has only been released on the Apple Store, or that is not officially available in your region – always check to see which market and regions an app has been officially released to before downloading.

  1. Carefully read the app description & metadata

You can often find red-flags by reading an app’s description and available metadata, such as the developer information, number of downloads, release date, and user reviews.

For example, an Instagram app with only 50,000 downloads would be huge warning, as the authentic Instagram app would of course have billions of downloads.

  1. Check the permissions

Another way to stay secure is by understanding the permissions requested by your apps. Check whether the permission requests seem reasonable and legitimate. What access does this app want you to approve? Does it make sense? For example, why would a crossword game app require access to your camera or photos? If something doesn’t seem right, then think twice.

  1. Be wary of installing apps from outside official channels

On Android, the officially supported way to install apps is from the Google Play Store, from Amazon’s AppStore (for Amazon devices), from Samsung’s Galaxy Apps or Huawei’s App Gallery (on their respective devices).

Generally speaking, you should not be loading apps from anywhere else. While there are some apps which may require users to load them from other channels – such as Epic Games’ Fortnight – 99% do not, and any app which purports to require users to download an app and install it from a website or otherwise should be considered a significant risk. It is recommended to proceed down such a path with great caution.

Play smart, stay secure

As we become increasingly dependent on smartphone technology, apps and games, it’s important that users stay on their guard and maintain strong cybersecurity best practices. Sticking with official app sources, checking every app carefully, and using a reputable mobile security solution will help to combat the ever evolving threat of malware.

There are many kinds of mobile device security solutions, such as antivirus, anti-phishing and proactive anti-theft protection, that can add another layer of security, including options combining several of these protective technologies in one package. A comprehensive, multi-device security solution such as ESET Smart Security is a great way to stay protected against malicious activity, ensure the games you download are safe, and unmask potentially unwanted applications.