How to Tell If an App Is Safe Before You Install It

Why App Safety Checks Matter More Now

In 2023, the US Federal Trade Commission reported that consumers lost more than $10 billion to fraud, with a growing share involving fraudulent or malicious apps. Fake banking apps, cloned utility tools, and ad-fraud software regularly appear in search results and on download sites. Even legitimate-looking apps can request far more data access than their function justifies.

This guide is for anyone who installs apps on a phone or computer — no technical background required. The checks take a few minutes per app and can prevent significant harm. For context on broader app security trends, see our software and apps coverage.

Step 1: Use Official App Stores When Possible

The Google Play Store and Apple App Store both screen apps before publishing them, though imperfectly. Apps in these stores have agreed to developer policies, gone through automated and sometimes manual review, and can be removed and refunded if found to be malicious.

This does not mean every app in official stores is safe — malicious apps do get through, and scam apps sometimes pass initial review before being reported. But the baseline risk in an official store is substantially lower than installing software from a random website, a file-sharing link, or a third-party APK store.

The rule: if the app is available in an official store, download it from there. If someone is directing you to download an APK file, a direct download link, or a third-party store instead, treat that as a red flag and understand why before proceeding.

Step 2: Verify the Developer Name and Publisher

Fake apps impersonate well-known brands. A search for “WhatsApp” or “PayPal” might surface copycat apps with nearly identical icons and slightly different developer names. Before downloading, check that the developer listed in the store matches the company you expect.

The real PayPal app is published by “PayPal, Inc.” A fake will often be published by an individual developer account or a name that’s close but not exact — “PayPal Mobile Inc.” or a random string. For major apps, the developer’s website should be listed in the store page. Navigate to that URL independently (don’t click the link in the store; type it yourself) and confirm the app is officially distributed there.

Quick check: Search the developer name plus the word “scam” or “fake” before downloading. If others have flagged the developer, results will surface quickly.

Step 3: Read Recent Reviews — Not the Star Rating

Fake reviews inflate star ratings on app store pages. The star average is nearly useless as a safety signal. What matters is the content of recent reviews, sorted by “most recent” rather than “most relevant.”

Red flags in reviews include: sudden drops in rating after an app update, reports of unexpected charges, complaints about the app requesting permissions unrelated to its function, mentions of the app behaving differently after installation than advertised, and a large number of one-sentence five-star reviews posted within a short window (a pattern consistent with purchased reviews).

A legitimate app with 50,000 installs and mixed but substantive reviews is generally less concerning than an app with 500 identical five-star reviews posted in the last week.

Step 4: Review the Permissions Carefully

Permissions are the clearest signal of what an app intends to do on your device. When an app requests access, it’s asking for specific capabilities: read your contacts, access your camera, track your location, read your SMS messages, or access files on your device.

The question to ask is: does this permission make sense given what the app does?

• A flashlight app requesting access to your contacts: red flag.
• A navigation app requesting location access: expected.
• A calculator app requesting microphone access: red flag.
• A video call app requesting camera and microphone: expected.

On Android, you can review and revoke permissions after installation in Settings > Apps > [App Name] > Permissions. On iOS, Settings > Privacy & Security lists which apps have requested each type of access. Audit these periodically — permissions granted at install can persist long after you stop actively using an app.

The CISA’s guidance on mobile device security recommends reviewing app permissions regularly as a baseline practice.

Step 5: Check the Privacy Label or Privacy Policy

Apple requires apps to display a “privacy nutrition label” on their App Store page, listing what data the app collects and whether it’s linked to your identity. Google Play has a similar Data Safety section. These are self-reported by developers and not always fully accurate, but blatant mismatches — a simple game claiming to collect financial data, for example — are worth investigating.

For desktop software, look for a privacy policy link on the developer’s website. If a free app has no privacy policy and is not open-source, you should assume your data may be monetized. The FTC offers consumer guidance on evaluating privacy claims that is worth reviewing.

Step 6: Be Skeptical of Apps From Outside Official Stores

Sideloading means installing an app from outside an official store — downloading an APK file on Android, for example, or installing unsigned software on a computer. There are legitimate reasons to sideload: some apps are only available regionally, open-source projects distribute installers directly, and some users prefer to avoid store policies.

But sideloading removes most of the protections official stores provide. A sideloaded APK has not been screened by Google. It could contain any code. The risks include:

• Spyware that monitors keystrokes or messages
• Banking trojans that overlay fake login screens on top of real apps
• Ad fraud software that drains your battery and mobile data while running in the background
• Ransomware, particularly on Android devices

If you are going to sideload an app, at minimum: verify the source is the official project website (not a mirror or file-sharing site), check the file hash against the one published by the developer, and scan the file with a reputable antivirus tool before running it. If any of those steps aren’t possible, don’t install it.

For more about evaluating software safely, the HogaToga how-to section has additional guides on security settings and safe software habits.

Step 7: Watch for These Specific Red Flags

Across all of the above steps, these are the specific signals most consistently associated with unsafe apps:

• The app was found via an ad in a search engine or social media, not through a direct store search.
• The store listing was recently created and the developer has no other published apps.
• The app promises capabilities that seem too good to be true: unlimited free premium features, free in-app currency for paid games, unlocked paid software for free.
• The install page asks you to disable security settings on your device.
• The app description contains spelling errors, poor grammar, or vague descriptions of what the app actually does.
• Requests for accessibility permissions from a non-accessibility tool (these permissions give broad control over the device).

What to Do If You Already Installed Something Suspicious

If you’ve installed an app and are now concerned about it, act quickly:

1. Uninstall the app immediately.
2. Revoke any permissions it was granted (some spyware installs secondary components — check if any new apps appeared around the same time).
3. Change passwords for any accounts you logged into while the app was installed, starting with email and banking.
4. Enable two-factor authentication on critical accounts if you haven’t already.
5. Run a scan with a reputable security tool (Malwarebytes, for example, has a free tier for mobile).
6. Review your bank and credit card statements for unexpected charges.
7. Report the app to the relevant store — this helps protect others.

If you believe your financial accounts were compromised, contact your bank directly. For broader identity theft guidance, the FTC’s IdentityTheft.gov is the recommended starting point in the US. You can also find safe app recommendations in our software and apps section.