AppVetter
HomeGuides › How to Tell if an Android App Is Safe Before You Install It

How to Tell if an Android App Is Safe Before You Install It

Most malware on Android does not arrive through sophisticated exploits. It arrives because someone searched for a popular app, tapped the first convincing result, and installed a lookalike. The good news is that five minutes of checking before you tap Install filters out almost all of it, and none of the checks require technical knowledge.

This is the checklist we run before reviewing any app on this site. It works for the Play Store, and most of it transfers to any other source you might install from.

Start with the developer, not the app

App names and icons are trivial to imitate; developer accounts are harder. On any Play Store listing, the developer name sits directly under the app title. Tap it and look at what else the account publishes. The real WhatsApp comes from "WhatsApp LLC", and that account publishes exactly the apps you would expect. A "WhatsApp" from an account with three wallpaper apps and a flashlight is not WhatsApp, whatever the icon says.

Cross-check against the developer's own website. Legitimate companies link to their store listings from their official sites, which is the one chain of trust that fakes cannot forge. This is also our standard advice for messaging and finance apps, where the cost of installing an imitation is highest — see the download sections of our WhatsApp review and our PayPal review.

Read the data safety section like a label

Every Play Store listing carries a data safety section where developers declare what they collect and whether they share it. It is self-reported, so treat it as a claim rather than an audit, but the claims are still informative. A QR-code scanner that declares it collects precise location and financial information is telling you something important about its business model.

Two lines deserve particular attention: whether data is shared with third parties, and whether you can request deletion. Reputable apps increasingly answer both clearly, because regulation in the EU and several US states requires it.

Interpret ratings correctly

The star number matters less than the shape of recent reviews. Sort by newest and scan a screen or two. Real problems show up as clusters: the same complaint about a subscription trap, the same crash after an update, the same suspicious permission request. A 4.6 average with recent reviews describing charges the user never authorised is a worse signal than a 3.9 average with grumbling about ads.

Be sceptical of review counts that outrun install counts, and of walls of five-star reviews in broken English posted on the same day. Both patterns are cheap to buy and common in scam listings.

Check what the app asks for against what it does

Permissions are the clearest mismatch detector available. Since Android 6, apps must request sensitive permissions at runtime, so you can install first and judge each request as it appears. The question is always proportionality: a navigation app needs your location; a photo editor does not. A keyboard asking for contacts, or a game asking for accessibility access, is a request to decline — and in the accessibility case, a reason to uninstall.

Know what Google Play Protect does and does not cover

Google Play Protect scans apps from the Play Store and, on most devices, sideloaded APKs as well. It removes known malware families and warns about apps that abuse permissions. It is genuinely useful and you should leave it on. It is also not a guarantee: newly uploaded scam apps routinely survive for days or weeks before takedown, which is why the developer and review checks above still matter.

If you must sideload, control the source

There are legitimate reasons to install an APK directly: an app not distributed in your country, or a developer that publishes its own builds. In those cases, download only from the developer's own domain, never from a search result that ranks for "app name APK". Prefer the developer's own domain or a long-established distribution network over whatever search result happens to rank for "app name APK" — unknown aggregators repackage apps with modified code often enough that they should be a last resort. On our own app pages we always present the official Google Play link alongside any APK option. Remember that sideloaded apps do not auto-update, so you carry the responsibility of staying current.

The two-minute version

  • Tap the developer name; check their other apps and their official website.
  • Read the data safety section; note sharing and deletion policies.
  • Sort reviews by newest; look for clustered complaints.
  • Judge each permission request against the app's actual job.
  • Leave Play Protect on; treat it as a safety net, not a shield.
  • Sideload only from the developer's own site, and keep those apps updated yourself.

None of this is exotic. It is the same habit as reading an ingredient list: thirty seconds of attention at the moment of choice, in exchange for not having to clean up afterwards.