How to Spot Malicious or Scam Apps
Updated:
There are over 6.5 million apps available across the App Store and Google Play. Most are perfectly legitimate — but not all.
Scam apps are designed to look exactly like the real thing. Some mimic popular banking apps, trading platforms, or productivity tools. Others pose as harmless utilities — a QR code scanner, a flashlight app, a calculator.
Once installed, they can quietly steal your personal data, rack up hidden subscription charges, or open the door to malware.
The good news is that most scam apps leave clues. Once you know what to look for, spotting them becomes second nature.
This guide walks you through the warning signs to check before you download, plus what to do if you suspect something has already slipped onto your phone.
Is there a malicious app on your phone?
Certo's award-winning security apps can scan your iPhone or Android device for hidden threats and suspicious apps.
What Can Scam Apps Do?
Before getting into how to spot them, it helps to understand why they’re worth taking seriously.
A malicious app with access to your phone can:
- Steal your passwords and banking credentials by logging what you type or capturing your screen
- Access your photos, contacts, and messages and send them to a remote server
- Track your location in real time, often without any obvious sign
- Charge money to your accounts through hidden in-app purchases or bogus subscriptions
- Install additional malware on your device without your knowledge
Some of these apps cause obvious problems you’ll notice right away. Others are designed to operate invisibly in the background — which is what makes them particularly dangerous.
How to Spot a Scam App Before You Download
The best time to catch a scam app is before it ever reaches your phone. Here’s what to check.
Only download from official app stores
Stick to the Apple App Store and Google Play Store. While neither is perfect, apps on these platforms go through a vetting process that filters out a significant number of threats.
Avoid downloading apps from third-party websites or app stores, especially if you came across them through an ad or a link someone sent you. Apps distributed outside the official stores have no quality control, and they’re one of the most common ways malware ends up on phones.
This applies to Android users especially. Android allows apps to be installed from unknown sources — a setting that should stay switched off unless you have a specific, trusted reason to enable it.
Never click app download links sent via text or email
A common way scammers distribute malicious apps is by sending a direct download link by SMS or email. They typically impersonate a bank, delivery company, or well-known brand and create a sense of urgency — “Your account has been flagged, download our security app to resolve this.”
If you receive a message asking you to install or update an app via a link, don’t tap it. Go directly to the App Store or Play Store and search for the official app instead.
Fig 1. An example of a phishing email.
Pro Tip: Your bank will never ask you to install an app by clicking a link in a text message. If you’re unsure, call your bank’s official customer service number to verify.
Check the developer name
Before downloading any app, take a moment to check who made it.
On the App Store or Play Store, the developer name appears beneath the app title. For a well-known app, that name should be immediately recognizable. If the developer name is slightly off, contains unusual characters, or looks like a random string of words, treat that as a red flag.
Scammers will often create apps with names almost identical to legitimate ones — changing one letter, adding a word, or using a different capitalization. A banking app from “Barclays PLC” is very different from one attributed to “Barclay’s Mobile Solutions Ltd.”
Look closely at the store listing
Legitimate app developers put care into their listings. Scam apps often don’t.
Look out for:
- Spelling mistakes and poor grammar in the description
- Low-quality or stretched screenshots that look like they were copied from another app
- A generic or slightly off-looking icon that mimics a well-known brand
- Vague descriptions that don’t clearly explain what the app does
None of these alone is definitive proof of a scam, but several together should prompt a much closer look before downloading.
Read the reviews — but read them carefully
User reviews are one of the most useful signals, but they require some interpretation.
A high proportion of 1-star reviews warning about scams, data theft, or unexpected charges is an obvious red flag. But watch for the opposite problem too: an app with a flood of 5-star reviews and almost nothing in between can suggest the developer has bought fake reviews to drown out legitimate complaints.
Genuine reviews tend to be varied in length, tone, and detail. Generic 5-star reviews that all sound the same (“Great app! Very useful! Highly recommend!”) are worth being skeptical of.
Check the release date and download count
Both the App Store and Google Play let you see when an app was first released and, on Android, how many times it’s been downloaded.
Be cautious of an app that claims to be a well-established service but was only released a few weeks ago. Similarly, an app claiming to be hugely popular but with very few downloads doesn’t add up.
For established apps, a longer history with consistent updates is a good sign. Scam apps are often pulled quickly once they’re reported, so their version histories tend to be thin.
Review the permissions it requests
Before you finish installing an app, check what permissions it’s asking for. This is one of the clearest signals of whether something is legitimate.
A calculator app has no reason to access your camera. A wallpaper app shouldn’t need your contacts or microphone. When the permissions requested don’t match what the app is supposed to do, that mismatch is worth paying attention to.
On iPhone, you can review app permissions at any time by going to Settings > Privacy & Security and tapping through each category to see which apps have access. On Android, go to Settings > Security and Privacy > More privacy settings, and tap Permission manager.
Fig 2. Finding a malicious app in Permissions on iOS and Android.
Pro Tip: Get into the habit of reviewing permissions for every app you install, not just unfamiliar ones. Even legitimate apps sometimes request more access than they actually need.
Warning Signs After Installing
Sometimes a scam app slips through despite your best efforts. Here are signs that something may be running on your phone that shouldn’t be:
- Battery draining faster than usual — malicious apps running in the background consume power
- Unexplained spike in data usage — scam apps often transmit data to remote servers
- Phone running warm when you’re not actively using it
- Unfamiliar apps appearing that you don’t remember installing
- Unexpected charges on your bank statement or app store account
If you notice several of these at once, it’s worth investigating further.
Think something's on your phone?
Certo's security apps scan for malicious apps, hidden threats, and privacy risks on both iPhone and Android.
What to Do If You Find a Scam App
If you’ve identified an app that seems malicious or that you no longer trust, here’s what to do:
- Delete it immediately. On iPhone, find the app in General > iPhone Storage, select the app and Tap Delete App. On Android, go to Settings > Apps, select the app, and tap Uninstall.
- Check your permissions. Go through your privacy settings and revoke access for any app you’re not confident about.
- Change passwords for any accounts you accessed while the app was installed, starting with banking and email.
- Check for unauthorized charges on your bank or credit card statements and contact your provider if you find anything suspicious.
- Run a security scan. A dedicated security app like Certo can check your device for any threats that may have been introduced alongside the scam app.
Fig 3. Finding a malicious app in Storage on iOS and Android.
Wrapping Up
Scam apps are getting better at looking legitimate. In 2024, researchers found malicious apps on both the App Store and Google Play — including one posing as a trading platform and another disguised as a simple math tool — before they were removed.
The vetting process catches a lot, but it’s not foolproof.
The steps above take less than a minute per app and can save you significant headaches. Make them a habit, and checking before you download becomes as automatic as putting on a seatbelt.
If you ever want extra peace of mind, Certo AntiSpy for Android and iPhone can help you check your device for threats that have already found their way in.
FAQs
Are iPhones or Android phones more at risk from scam apps?
Android devices face a higher risk overall, partly because Android allows apps to be installed from outside the official Play Store. That said, scam apps do appear on both platforms. iPhone users aren’t immune, and the same pre-download checks apply regardless of which device you use.
How do I report a scam app to Apple or Google?
On the App Store, scroll to the bottom of the app’s listing page and tap “Report a Problem.” On Google Play, open the app’s listing, tap the three-dot menu in the top right, and select “Flag as inappropriate.” Reporting helps get the app reviewed and potentially removed before it harms other users.
Can a scam app still cause damage after I’ve deleted it?
Possibly, yes. If the app captured passwords, payment details, or personal data while it was installed, that information may already have been transmitted. Deleting the app removes the ongoing threat, but it’s still worth changing passwords for any accounts you used during that time and checking your bank statements for anything unusual.
Sophia is a Senior Cybersecurity Writer at Certo, with over five years of experience writing about digital security, privacy, and emerging threats. Drawing on a background in IT and technology, she specializes in translating complex cybersecurity topics into clear, practical guidance that helps everyday users stay protected online.