An expert in Android security is warning users that some developers of crappy Android apps have come up with a new trick for fooling users into installing their apps.
The trick relies on app devs registering Google Play Store developer accounts that mimic install counts, instead of their real name, such as “1 million installs,” Installs 1,000,000,” “100,000,000 Downloads,” “5,000,000+,” “1,000,000,000” and other similar formats.
The idea is that the official Google Play Store lists an app entry by displaying the app’s icon, name, developer name, and a star rating.
Sneaky devs creating a fake sense of safety
By replacing the developer name with a faux install count, some developers are trying to fool users into thinking the app is extremely popular, and hence, somewhat safe to use.
But in reality, they are not. According to ESET malware researcher Lukas Stefanko, most of the apps using this trick that he analyzed were mostly adware. The majority were just empty shells, with little to no functionality except for showing ads on top of other apps or the user’s screen.
Crooks are faking app icons too
Furthermore, Stefanko also noticed another similar trick employed by some malicious app developers.
While they didn’t use developer accounts with misleading names that contained install counts, some app devs put the fake install counts in the app’s icon that shows up in Play Store search results.
This misleading image is intended to work the same way as the fake install counts inserted in the dev’s account name and give users a false sense of confidence for apps that are clearly ill-intended.
“The tricks are simple, yet potentially effective, ways to mislead users, particularly those who choose apps based on popularity,” Stefanko explains. “While none of these apps were outright malicious, these techniques could easily be misused by malware authors in the future. Fortunately, the tricks are also simple to spot, if you know what to focus on.”
Things to keep in mind when installing an app:
⇶ Google embeds official information in special fields on the app’s Play Store page. It does not use images to do so.
⇶ Google’s real install count numbers are visible in the “Additional Information” section at the bottom of each app’s Play Store page.
⇶ If Google-based install count is small, yet the developer claims otherwise, the app is clearly malicious.
⇶ Google Play does not have a “Verified” badge, so don’t believe what app developers may claim in their app icon. Furthermore, don’t believe anything app devs put in their icons.
⇶ Always read user reviews before downloading an app.