Fake Android apps in the Play Store are a problem. People create listings designed to look exactly like popular apps, often using the same icon and name, to trick you into downloading it—then bombarding you with ads (or worse, malware).
This issue has been especially prominent lately. A fake version of WhatsApp was downloaded by more than one million people last year, and just this week Reddit’s /r/android community found a fake version of the popular SwiftKey keyboard and an ad-riddled version of VLC on the Play Store. The first two were removed after making headlines, and while Google was initially reluctant to remove the faux-VLC app, it was finally taken down last night after being at the top of the Android subreddit all day. Good work, you guys!
These types of apps are not something to take lightly. Behind the scenes, they’re often doing some very gnarly stuff—like stealing all of your personal info, tracking every move you make, or even worse. ABC News actually did a good analysis of what fake apps are capable of—it’s worth a watch.
So how do these fake apps trick so many people, and what can you do about it?
That fake version of WhatsApp—arguably one of the most successful fake apps yet—was nearly indistinguishable from the real thing. Even the developer name was visually identical. The fraudulent company placed a special hidden character at the end of the developer name, which made look like “WhatsApp Inc.”, but it was technically different thanks to the hidden whitespace at the end of the name. Very clever.
Left: The legitimate WhatsApp Inc. listing; Right: The fake listing.
And again, that app was downloaded over a million times before Google removed it from the Play Store. It was so successful because it was so similar to the real WhatsApp listing—the icon, verbiage, and developer name were all similar enough that many users didn’t even raise an eyebrow.
The aforementioned VLC ripoff is a bit different. It’s using VLC’s open-source code and Media Player Classic’s icon, and has over five million downloads. The “developer” here did little more than take a popular (open source) player, load it with ads, then use another player’s icon.
While it didn’t appear to be stealing data or harboring other malicious code, it’s still a fake app being used to make money. They’re taking legitimate developers’ work, filling it with ads, and capitalizing off of it. It’s disgusting. I’m glad Google did the right thing by pulling it.
This isn’t a new problem. In fact, it’s been happening for years—and I honestly can’t tell if it’s getting worse, if it’s getting more attention in the media, or if the cases that are being spotted are just bigger.
But it really doesn’t matter, because even if the number of offending apps is getting smaller, the fakes are getting better—and getting more downloads. That’s the biggest issue here.
Fortunately, Google is starting to address the issue with Google Play Protect—a security system to verify apps in the Play Store. It scans apps upon entry into Google Play, which I’m sure weeds out a lot of the fakes and other malicious apps. Google also says it removed over 700,000 malicious apps last year. But, as we’ve already noted, there are still some big ones getting through.
Play Protect was announced less than a year ago, so it’s still a relatively new system. As with most, there will be bumps along the way—we’re just hoping Google uses this system to figure out a better way to control malicious content in its official app store.
So here’s the big thing: making sure your device and your data are safe is, well, kind of on you. Google can only do so much, and regardless of how good Play Protect actually gets, there’s always going to be a certain percentage of malicious apps that find their way into the Store.
That’s why it’s pertinent to pay attention. The absolute best thing you can do to make sure you’re not installing a bunch of crap is to take a couple of minutes to look over the app listing before you install it. A little due diligence goes a long way.
If you search the Play Store for the app you want to install, take a few seconds to glance at all the entries—especially if you see the same icon more than once.
Fake apps will almost always use the icon from the app they’re trying to mimic, so it should immediately cause suspicion if you see the same icon more than once (assuming the second one isn’t a pro version of the app, of course). This is the first way fake apps trick people into installing them.
If the icons are the same, turn to the names.
Take a close look at the app name and the developer. In the case of the fake WhatsApp, the developer name was visually identical, but the name of the app should’ve raised a red flag—I can’t think of a single time a legitimate app added the word “Update” to its name.
The fake SwiftKey app that recently landed was called “Swift Keyboard”—something that users unfamiliar with SwiftKey could easily mistake for the real application. But the developer name was “Designer Superman”—a clear indicator that something isn’t right since SwiftKey is developed by a company of the same name (and owned by Microsoft).
The fake SwiftKey listing.
If the developer name isn’t an immediate indicator, you should also check their other apps. You can do this on the web by clicking on the developer name on the Play Store listing; on your phone, just scroll down close to the bottom of the app listing to see more apps from that developer.
If something doesn’t look right here, it probably isn’t.
If you’re downloading a popular app, always take a quick look at the download number. Let’s say you’re installing the Facebook app—one of the most downloaded apps in Google Play with over a billion installs at the time of writing.
But what if the listing you’re looking at only has, say 5,000? Guess what? It’s probably the wrong listing. There’s not much of a chance a fake app will last in the Store long enough to get that many downloads, so it’s an easy way to spot a fraud, assuming you’re looking at a popular app.
If it’s not so popular, however, this won’t help as much. Of course, a fake app should always have fewer downloads than the app it’s imitating—again, just pay attention to the numbers.
This is an important step. If everything else looks close enough, the description can often be the thing that gives it away. If the wording seems off (think bot-like) or is written in broken English, that should raise the red flag.
Most legitimate developers do a good job of providing clear communication as to what their apps do. Most use good, clean formatting in the listing. Again, if something feels weird here, it probably is.
The same applies to the images. Now, there’s a chance these could be stolen from the legitimate Play Store listing (just like the icon), but you should take a closer look anyway. For example, look at the fake SwiftKey we’ve talked about several times already:
The images look pretty good, but “Typing like flying Swift”? What the hell does that even mean? To me, it means “yeah, I’m not installing this.”
After you’ve looked at all the details, spend some time reading a few of the reviews. Fake apps will often have fake reviews, but there are also likely to be some legitimate reviews from users who realized the app was bogus after installing it. A quick skim will generally be all it takes—look for the negative reviews and see what the issues are. If it’s fake, hopefully someone has called it out in the reviews.
If you happen to spot a fake app, there are things you should do (aside from, you know, not installing it). The first is to report it—let Google know it’s a fake!
To do this, scroll to the bottom of the page (regardless of whether you’re on the web or mobile) and click or tap on “Flag as Inappropriate.”
On the web, this will take you to a Google Play help page—which is actually sort of annoying—where you’ll need to also click on the “report inappropriate developer reply form” link, and fill it out accordingly.
Fortunately, it’s a lot easier on mobile. After you click on Flag as Inappropriate, choose the reason why you’re reporting the app—for fakes, use the “Copycat or Impersonation” option.
Tap submit, and it’ll get shipped off to Google, which will (hopefully) review it.
Now that you’ve done your part, share this info! Post it on Twitter, Reddit, Facebook, or wherever else you frequent. The absolute best thing you can do is raise awareness, because then more people will report the app for fraudulent activity. In turn, Google should react more quickly. The developers of the legitimate apps often lend their opinions and support in such cases, too.
Again, any of these things can be faked if the malicious developer is working hard enough. That fake WhatsApp app had an identical developer name, and had enough downloads that it looked like the real thing. But if you look at all of these things put together, you’ll generally be able to spot something that doesn’t look right. You just need to pay attention to the details.
And ultimately, if you’re still not sure—just don’t install the app. You want to be confident that what you’re installing is the right thing, so if you’re questioning that, a bit more research is going to be be necessary before you tap that green button. You can always go to the app’s home page (like SwiftKey.com) and click their button to “Get It on Google Play”, which will ensure you go to the real thing.