Fake Apps Are Everywhere: How Malicious Apps Sneak Into the App Store and Google Play

Here's a fact that should make you uncomfortable: malicious apps routinely pass the review processes of both the Apple App Store and Google Play Store, sometimes accumulating millions of downloads before being discovered and removed.

In September 2025, researchers found 224 malicious apps on Google Play running a coordinated ad fraud campaign. A month earlier, another 77 were identified. In early 2025, Bitdefender documented hundreds of malicious apps that had bypassed Android 13 security. In January 2025, Kaspersky discovered SparkCat spyware in apps on both the App Store and Google Play — apps designed to scan your photo gallery for cryptocurrency wallet seed phrases using OCR technology. By mid-2025, a new variant called SparkKitty appeared, doing the same thing through trojanized TikTok mods.

And those are just the ones that got caught.

The app stores are not the impenetrable security fortresses that most users believe them to be. They're better than the open internet, absolutely. But their review processes have blind spots that attackers systematically exploit.

If you install apps based on app store listings, download counts, and star ratings alone, you're playing a game where the odds are increasingly not in your favor.

How Malicious Apps Get Past App Store Review

Understanding the techniques attackers use helps you understand why the review process fails — and what to look for yourself.

The Time Bomb Approach

The most common technique: the app is submitted to the store as a completely legitimate, functional application. It does what it says — it's a calculator, a flashlight, a QR scanner, a weather app, a photo editor. It passes all automated security scans and manual reviews because, at the time of review, it genuinely is clean.

After approval — sometimes weeks or months later — the developer pushes an update that introduces malicious functionality. The malicious code might not even be included in the update itself. Instead, the update changes the app to download and execute code from a remote server, meaning the malicious payload is never part of the package that the store reviews.

This is the same "sleeper agent" model we documented in browser extensions, and it's equally effective in mobile apps.

The Category Masquerade

Attackers publish apps in innocuous categories — utilities, personalization, photo tools, flashlights, QR readers — with descriptions and screenshots that look perfectly normal. The app functions as advertised, so users leave genuine positive reviews.

But behind the legitimate functionality, the app runs background processes: tracking location, harvesting contacts, reading SMS messages, keylogging, displaying fraudulent ads, or subscribing the user to premium SMS services without consent.

Researchers at Bitdefender found that some of these apps used advanced evasion techniques, including delaying malicious activity for days after installation (to avoid triggering analysis in sandboxed review environments), hiding app entries from the device launcher so users couldn't easily find and uninstall them, and using generic names like "Phone Manager" or "System Service" to blend into the system app list.

The Impersonation Strategy

Attackers create apps that impersonate popular, trusted apps. They copy the icon, the name (with subtle misspellings), the screenshots, and the description. Users searching for "WhatsApp" or "ChatGPT" might find a convincing fake listing — especially on Google Play, where the sheer volume of apps makes policing impersonation difficult.

The Sophos research into pig butchering scams found crypto scam apps impersonating legitimate exchanges in both the App Store and Google Play. The apps let victims withdraw small amounts initially (to build trust), then locked their accounts when larger deposits were made.

The Permission Creep

Some apps are technically not malware, but they request absurdly excessive permissions that they use for data harvesting. A photo editor that requests access to your contacts, call logs, SMS messages, and precise location — all of which have nothing to do with editing photos — is harvesting your data for sale to data brokers or advertising networks.

This falls into a gray area that app store review processes don't always catch, because the app isn't technically "malicious" — it's just collecting far more data than it should.

Types of Malicious Apps You'll Encounter

Spyware

Apps that secretly monitor your activity — location tracking, message reading, call recording, camera access. The SparkCat and SparkKitty campaigns mentioned earlier are examples, but there are thousands of less sophisticated variants. These apps often target specific communities: crypto users (looking for seed phrases), business professionals (looking for credentials), and victims of domestic abuse (installed by abusers).

Fleeceware

Apps that offer a "free trial" and then charge exorbitant subscription fees — sometimes $50 to $200 per week — that are difficult to cancel. The app itself might be a basic calculator or horoscope reader. The trap is in the subscription model: users sign up for the trial, forget to cancel, and get charged repeatedly.

Apple and Google have both cracked down on fleeceware, but new variants continue to appear. Always check the subscription terms before starting any free trial, and review your active subscriptions regularly (Settings → Apple ID → Subscriptions on iPhone; Play Store → Payments & Subscriptions on Android).

Ad Fraud Apps

Apps that generate invisible ads or click on ads in the background, draining your battery and data while generating revenue for the attacker. You might notice your phone heating up, your battery dying faster, or your data usage spiking — but otherwise, the app appears normal.

The 224-app campaign discovered on Google Play in 2025 was exactly this type — apps that seemed legitimate but ran aggressive ad fraud operations in the background.

Banking Trojans

The most dangerous category. These apps overlay fake login screens on top of your real banking app, capturing your credentials when you try to log in. Some variants can intercept SMS messages containing 2FA codes, enabling the attacker to complete unauthorized transactions.

FakeApp trojan variants discovered in late 2024 used a modified DNS library to receive commands from a malicious server, displaying fake casino websites instead of the app's advertised function. Some of these apps had over one million downloads.

Fake VPN and Security Apps

Ironically, apps that promise to protect your privacy are sometimes the biggest violators. Fake VPN apps that log your browsing history. Fake antivirus apps that are actually adware. Fake ad blockers that inject their own ads. The very thing the user downloaded to protect themselves becomes the threat.

How to Protect Yourself

Before Installing Any App

Check the developer. Look at who published the app. Is it a recognized company with a website? Have they published other reputable apps? An app from "Cool Dev 2024" with no other apps and no web presence is higher risk.

Read the reviews critically. Don't just look at the star rating. Read the actual reviews, especially the recent negative ones. Users often report suspicious behavior — excessive ads, unauthorized charges, battery drain, permission requests — in reviews. If multiple users mention the same problem, take it seriously.

Check the download count against the age. An app published last week with 100,000 downloads is suspicious. Organic growth takes time. Artificially inflated download numbers are a common tactic for fake apps.

Look at the permissions before installing. Both the App Store and Google Play show you what permissions the app requests. A flashlight app that wants access to your contacts and SMS messages is a red flag. Ask yourself: does this app need this permission to function?

Compare with the official website. If you're looking for a specific app (like a bank's mobile app), go to the bank's official website first and follow their link to the app store. Don't search the app store directly — that's where impersonation apps catch people.

After Installing

Monitor your phone's behavior. Sudden battery drain, data usage spikes, overheating when idle, unexpected pop-ups, or new apps you didn't install are all warning signs. We covered these indicators in our stalkerware detection guide — the same symptoms apply to any malicious app.

Keep Google Play Protect enabled. On Android, Play Protect continuously scans installed apps for malicious behavior. Go to Play Store → Profile → Play Protect and verify it's active. If someone installed a malicious app on your device, they may have disabled Play Protect first — check this.

Review your subscriptions regularly. On iPhone: Settings → [Your Name] → Subscriptions. On Android: Play Store → Payments & Subscriptions. Cancel anything you don't recognize or no longer use.

Uninstall apps you don't use. Every installed app is an attack surface. If you haven't used an app in months, delete it. This reduces the chance that a previously legitimate app turns malicious through an update.

Keep your phone updated. OS updates patch security vulnerabilities that malicious apps exploit. Don't delay updates.

The Nuclear Option: Only Install What You Need

The strongest defense is the simplest one: install fewer apps. Every app you install is a trust decision — you're trusting the developer's current intentions, their future intentions, and their ability to keep their developer account secure.

Before installing any app, ask: is there a website that does the same thing? Can I accomplish this with a built-in feature? Do I really need this, or is it a nice-to-have that adds risk without meaningful benefit?

The average smartphone user has 80+ apps installed. Most people actively use fewer than 30. The gap between installed and used represents unnecessary risk.

The Uncomfortable Reality

App store review processes are not security guarantees. They're filters that catch most threats but inevitably miss some. The volume of submissions — Google Play receives thousands of new app submissions daily — makes comprehensive review of every app update humanly impossible.

Apple's App Store is generally considered more secure than Google Play due to its more restrictive review process and the inherent security advantages of iOS's sandboxing architecture. But Apple is not immune — the SparkCat spyware campaign proved that malware can and does slip through Apple's review.

The responsibility for app safety ultimately falls on you. Treat every app installation as a security decision. Check the developer. Read the reviews. Scrutinize the permissions. Monitor your phone's behavior after installing. And remove anything you don't actively need.

Your phone is the most sensitive device you own. Every app you install gets a key to some part of it. Be thoughtful about who you give those keys to.