In a world full of choice and clones, it can be difficult to know if what you’re getting is the real thing. The landscape for getting and downloading apps is complex. Context and ease play a big role in how and where people get apps. Due to the unique cultural and digital climate in countries, people want what is convenient and easy. We are very casual about getting apps and don’t think much about the source of our security.

In India, the market is flooded with modded versions of apps that sometimes offer premium features for free, or a better UI experience. We heard the desire to get something for free drives many decisions. One interviewee described the behaviors behind getting and sharing apps in India as ‘eating free cheese.’ Their statement, “Free cheese is always in a mousetrap,” alludes to the fact that nothing is really free and there are consequences or trade-offs when getting something for free.

We aren’t saying “Don’t download free things.” We are saying, as a community, we should consider our sharing and downloading behaviors if we seek to protect the security and privacy of each other. Part of the solution to overcoming clones is to understand what steps one can take when downloading apps to help them make more informed choices. Together, we can help stop the spread of malware and contribute to the security of ourselves, our families, and our communities.

Below are actionable steps to help us identify and proactively prevent exposure to malware attacks. Together we can increase adoption of official apps and bring awareness to safe behaviors around downloading and sharing apps.

Safe Behaviors To Practice Before Downloading

7 Steps To Take To Help Prevent Downloading Malware:

1. Try to get your apps from a Safe Source.

   This will help limit the probability of downloading malware or a clone. Many safe sources have protocols in place for detecting apps with malware, spyware, or viruses.

   Safe Sources include but are not limited to:

   • Google Play Store

   • Apple App Store

   • Developer’s GitHub/GitLab page

2. Make sure to regularly update your apps.

   It is also good practice to update your phone’s operating system.

   • Updating your apps ensures you are getting the latest security updates and bug fixes.

   • Fetching an app update takes little time and data. Installing takes time, but is done locally and does not require an internet connection.

   • In some cases updating wipes out clones and restores an app to its authentic self.

   • If you originally downloaded the app from Google Play, Apple App Store or F-Droid you should be notified when your app is ready for an update. It may even auto-update.

3. Read and verify key app information.

   • Release date

   • Size of the file

   • App rating & number of ratings

   • App store description

   • Information about the development team

   • Screenshots

   • Logo

   • Required permissions

4. Read comments and reviews.

   This helps you answer two questions. First, “Are the developers active and interacting with users?” Second, “Is anyone having trouble with the app or experiencing weird behaviors?”

5. Download, install and use antivirus software.

   This will help monitor your browser and downloads.

6. Turn on the Google Verify Apps feature

   Documented here.

7. Download, install and use Checkey

   Download here (https://guardianproject.info/apps/info.guardianproject.checkey/). This software provides information about the APKs that are installed on your device. Make sure to verify the developer key.

Unable To Get an App From a Safe Source?

Consider these helpful steps when choosing to click “download” or “share.”

If Sharing and Downloading in Messaging Apps

1. It’s not a safe practice to get and share APK files in messaging apps. But for some, this is the only method. If you choose to do this, follow these guidelines:

   • Grab the APK file from a safe source such as the developer’s GitLab page and provide as much information regarding version number, developer name, and file size before sharing.

   • Only share direct download links from the developer’s website or official app page. For example https://github.com/MyFavoriteDeveloper/AppName/Release/AppName-version124.apk.

2. If you are downloading the APK file, take a moment to read the APK file name and verify the developer and check that the version number is the most recent. You can also take the following steps:

   • Consider how you received the file. Is it from a trusted or safe source?

   • Verify the digital signature (Windows, Android) before downloading.

     • You can also use the Jarsigner tool.

   • Unzip the APK and inspect the contents—look for timestamps that are different from others.

   • Upload the APK to virustotal.com.

     • This site uses multiple forms of malware detection. It will scan the APK and alert you of malware.

If Downloading From a Website

1. Is the website secure?

   Does it start with HTTPS:// ?

2. Is the developer listed?

   Can you find and verify they are the legitimate developer team?

3. Read and verify key app information.

   • Release date

   • Size of the file

   • App rating & number of ratings

   • App store description

   • Information about the development team

   • Screenshots

   • Logo

   • Required permissions

If Downloading and Sharing from Alternative App Stores

(Note: Many third-party app stores have their own regulations on what is and isn’t allowed for publishing).

1. Consider the legitimacy of the site.

   Are they known for spreading malware, spyware or fake news?

2. Is the website secure?

   Does it start with HTTPS:// ?

3. Is the developer listed?

   Can you find and verify they are the legitimate developer team?

4. Read and verify key app information.

   • Release date

   • Size of the file

   • App rating & number of ratings

   • App store description

   • Information about the development team

   • Screenshots

   • Logo

   • Required permissions

Did You Just Download Malware On Your Phone?

12 Quick Things To Look For:

1. The system or apps start behaving irregularly.

2. Your call and SMS logs include unknown numbers.

3. The battery drains faster than expected or your device suddenly restarts.

4. Data usage has increased significantly.

5. The device sends and receives strange text messages.

6. Your phone is running slower than normal.

7. Apps take longer to load.

8. Ads or notifications saying you’ve won a prize keep popping up.

9. The app crashes or stops working frequently.

10. Your phone bill has increased significantly.

11. Your camera is activated when you aren’t using it.

12. You are getting charged for actions you did not take (check your bank history and credit card statements).

If you Think You’ve Downloaded Malware, It’s Time To Run a Phone Virus Scan

Step 1:

Download and install ‘AVG AntiVirus for Android’ from the Google Play Store.

Step 2:

Open the app and tap the ‘Scan’ button.

Step 3:

Wait while the app scans and checks your apps and files for any malicious software.

Step 4:

If a threat is found, tap ‘Resolve.’