How do malicious apps end up on official app stores?

Last updated: 7 March 2025
How malicious apps end up on official app stores_featured

While you may think that downloading apps from official app stores is entirely secure, you can still catch malware that will steal your private data.

Imagine reading an article about an AI assistant app and deciding to get it on your phone. When you search the app store, you find it's paid, but then spot a similar-looking free app with the same features. Thinking it's safe, you download it, believing there's no harm since apps on the store are always secure. After using it, the next day, you notice that your crypto wallet is empty and that your social media accounts have been stolen.

Sadly, situations like these constantly happen. But how? Don't app stores invest tons of money to keep malicious programs out of their marketplaces? In this article, I explore how app stores protect you from malicious apps, how cybercriminals still bypass these systems, and what you can do to stay safe.

ADVERTISEMENT

How do apps get checked before becoming available in app stores?

A rule of thumb is that you must understand how a system works before exploring its security flaws. That’s why, before diving into how malicious apps make their way onto the Google Play Store or App Store, it’s essential to explain what app stores do to protect their users from malicious apps.

How Google Play Store checks apps

According to Google, before an app gets published on Google Play Store, the app itself and its developer get thoroughly analyzed and reviewed by automated detection mechanisms and human analysts.

Since every developer must agree to the Google Play Store developer distribution agreement, Google can check nearly every detail about their account. That's why the Google Play Store internal risk engine analyzes information from a developer's Google account. For example, actions, history, billing details, device information, and more. If it finds something suspicious about the developer, the account is passed for a manual review, where it gets checked even more.

After that, the app itself gets reviewed. Google's automated application risk analyzer examines the app to detect potentially harmful application behavior. If it discovers something suspicious, it flags the app and sends it to a security analyst for manual review.

Also, Google can check the app even after it gets published on Google Play Store. If a user has Google Play Protect enabled on their device, Google runs safety checks on all apps installed (even the ones from sources other than the Google Play Store). If it finds something, it warns the user about it. This way, users' devices get more protection, while Google's detection systems better identify harmful apps.

How Apple’s App Store checks apps

Apple states that it takes several measures to ensure that only safe, trustworthy apps are available to users on the App Store.

First, Apple runs automated malware scans on each app, looking for known threats. This is the first line of defense, which outsources harmful software before it reaches manual review.

ADVERTISEMENT

Next, a team of experts at Apple carefully reviews each app. They check everything – from the app's description to screenshots. This step helps protect users from common scams, where malicious apps may disguise themselves as legitimate or popular.

Also, Apple's security experts manually verify that the app does not unnecessarily request sensitive data. Extra care is taken with apps targeted at children to ensure they meet strict data collection and safety guidelines, keeping young users safe.

Furthermore, even if the malicious app managed to hide its behavior completely during the review process, Apple constantly checks user reviews. It checks if there are any reports about the app and combats fake reviews to improve the value of this signal.

However, if a malicious app makes it into the App Store, it is immediately removed, and the company warns users who downloaded it of its malicious behavior.

How malicious apps get through the review process

So, app stores invest a lot of money to keep their virtual marketplace safe from malicious apps. But how do cybercriminals bypass all of these security systems and still get an infected app published? Let's take a closer look at how cybercriminals bypass app store security to distribute malware.

Obfuscation of malicious code

Cybercriminals often hide the harmful parts of their apps by making the code hard to read. They turn the code into a confusing format that is difficult to understand but still works.

Obfuscated code
Obfuscated code example

This technique is called code obfuscation, and it is primarily used to evade automated security checks, during which the code is scanned for known malware signatures. If the malicious code is hidden well enough between obfuscated sections, the app passes reviews and gets published on the app store. After that, malware becomes active once the app is installed on a user's device.

ADVERTISEMENT

Downloading malicious files after installation

Sometimes, malicious apps don't contain any harmful code at the time of submission. Instead, the app downloads malicious code or configurations after installation, usually from an external server. Once it downloads everything, the malware activates and infects the user's phone. This allows cybercriminals to bypass app store scans that check the app's contents at submission since there aren't any malicious code lines at the time of the review.

app_update1
App with an available update example

Malvertising

A seemingly safe application can still spread malware, even if it appears harmless on the surface. This often happens because of the way advertising networks work within apps. Generally, developers need code packages to include advertisements in their apps. These packages are provided by the advertisers who order the ads.

Attackers can exploit this by ordering ad space from a published app and inserting malicious code in the code package. If the app developer is not cautious enough, he may not notice altered code, which can lead to the app spreading malware. The worst part is that, in some cases, app users don't even have to click on the ad – simply seeing it is enough for their device to get infected.]

Malvertising
Malvertising example

Purchasing applications and infecting through updates

App stores generally review app updates less strictly than new app submissions. In the meantime, malicious hackers can buy applications with thousands of users for just a few hundred dollars.

This allows them to release malicious updates of acquired apps by masking the malware to evade detection during the review process. Cybercriminals can also push malicious updates that trigger after a certain period or after the app has been installed for a while, so the malicious activity isn't immediately detected during the review process.

ADVERTISEMENT

Infected development tools

Not all app developers are cybersecurity experts. Some developers download app development tools from unofficial sources, either out of convenience or due to the lack of awareness.

development tools
Example of a hacker sharing malware ideas online

Cybercriminals exploit this by publishing altered versions of development tools, libraries, and Software Development Kits (SDKs) online. These infected tools often contain hidden malicious code, which unknowingly inserts malware into apps during development. As a result, developers may unintentionally publish apps that contain malware, putting users at risk.

Application republishing

Cybercriminals can take a legitimate app, infect it with malicious code, and then re-upload it to official and unofficial app stores. Sometimes, they leave the original name or slightly alter it, making it harder for users to suspect something. This strategy is hazardous because it can affect widely used apps. For example, since some apps are geo-blocked, an unsuspecting user may look for another way to download it. Also, a user could notice a similarly named app on the app store and think it's the official version.

Republished app
Example of a republished application

What dangers can be hidden in apps?

When you download an app from the app store, you usually trust it with some permissions because what could go wrong? Well, briefly speaking, a lot.

Malware comes in many forms, and its dangers range from minor annoyances like your phone slowing down to theft of all your personal information. Some apps, like spyware, silently track your activities, stealing everything from your call history to your photos, often leading to identity theft. Others, like adware, can flood your device with pop-ups while secretly building a profile of your habits to target you with more ads or malicious attacks.

ADVERTISEMENT

And I'm not done yet. Ransomware can lock your device and all its files, requiring a ransom to unlock everything. Trojans disguised as legitimate apps can trick you into handing over sensitive information like banking details. On top of that, even seemingly harmless apps can be dangerous. If they are poorly built, malicious hackers can exploit the security flaws and steal all your data.

However, the worst of all is that most of the time, all these threats work quietly in the background. That means you can be at risk even now and not realize it.

Cases when malicious apps appeared on app stores

Smartphones store a lot of personal information, including passwords, bank details, photos, and messages. As a result, cybercriminals constantly develop new ways to hack these devices.

There have been several real-world cases where malicious apps have slipped through the app store review processes and ended up on users' devices. Here are a few notable cases when malicious hackers bypassed the app stores' vetting systems.

Sparkcat

On February 5th, 2025, the Kaspersky Threat Research expertise center discovered a new data-stealing Trojan active in the App Store and Google Play Store since at least March 2024.

This malware was based on optical recognition. It used machine learning to scan image galleries and steal user phone screenshots containing cryptocurrency wallet recovery phrases. It could also find and extract other sensitive data, such as passwords and images.

This malware spread through infected legitimate apps and lures – Messenger, AI assistants, food delivery apps, crypto-related apps, and more. On Google Play Store, these apps had over 242,000 downloads.

The Trojan used obfuscation to hide its harmful code, making it hard for anyone reviewing it, including Google Play Store’s automated system, to spot the malware. Once installed, the malware secretly downloaded a file from the internet that gave it the final instructions, like where to send stolen data. This way, the malicious details weren’t in the app when first reviewed, so it passed the review process.

ADVERTISEMENT

The Joker Virus

The Joker virus was released in 2017 and has remained a significant threat to Android users. It is banking malware whose main task is to subscribe unsuspecting users to premium services. The sad part is that you won't know you've been hacked until you notice extra charges on your phone or credit card bill.

This malware gets onto app stores because cybercriminals use obfuscation techniques to mask its true intentions. Since its release, malicious hackers have disguised it as all kinds of apps – from wallpaper-changing tools and security solutions to popular games. After a user downloads the infected app, the virus collects sensitive information like contacts and SMS data. Then, it uses stored data to make unauthorized purchases or simulate clicks on ads to generate revenue for the attackers.

While it primarily worked by signing you up for services via SMS, today, there are even more advanced versions of the Joker malware. The virus can now perform online payments in the background, which can cause even bigger financial damage.

Ernestas Naprys vilius Gintaras Radauskas adi
Join our followers on Google News
Google News Follow us

Mandrake spyware

Mandrake is an old spyware campaign, first identified around 2016-2017. This spyware disguised itself as a legitimate app and, once installed, stole data and sent it to remote servers. However, by April 2024, Securelist found a new version of it on the Google Play Store, which has been there for around 2 years and infected over 32,000 devices.

To get on the Google Play Store, Mandrake used several obfuscation techniques. First, it hides its malicious actions by using obfuscated native libraries, which makes it hard for automated systems and reviewers to understand what the program is doing. It also used certificate pinning to secure the malware's connection with the malicious hacker's server so security tools can't intercept it. On top of that, it checked if the user's device was rooted (unlocked from manufacturer restrictions) or running in a virtual environment (like an emulated instance of the phone on a PC), allowing it to hide if security systems are checking it.

How to protect yourself from malicious apps?

So, app marketplaces improve detection and security mechanisms, and operating system developers continue to enhance the security of their devices. But what can you do to avoid catching malware on your device?

First, never download apps from third-party stores. These stores don't check the published apps, meaning cybercriminals can easily upload infected versions of popular apps. Meanwhile, in the official stores, always stick to trusted developers. That's because malicious hackers often disguise their apps as legitimate. However, if you install an app you're unsure of, always review what permissions the app asks for. If a photo editor asks for access to your contacts or a flashlight app wants your location, that's a red flag.

There are also some other cybersecurity practices to keep in mind. One of the most important ones is avoiding jailbreaking or rooting your device. Though having more control of your device might look tempting, it also opens up your device to a higher risk of malware and network attacks. Also, make sure to protect your device with antivirus software. It can help detect and remove malware that slips past other security measures, providing an added layer of defense.

Conclusion

To sum up, even if you download apps only from trusted sources, there's no guarantee that you'll be entirely safe. App stores such as Google Play Store and App Store invest a lot of money to effectively detect and prevent malicious apps from entering their stores. However, cybercriminals are not far behind – they constantly improve their strategies and find new ways to bypass these app store audits.

That's why staying vigilant is crucial. Following basic cybersecurity practices and installing reliable antivirus software can significantly reduce the risk of falling victim to malicious apps. Also, be critical and aware of the permissions you grant to your apps since many malicious apps require those permissions to function.

Share
Post
Share
Share
Share
More from Cybernews
Bluesky T-shirt poking fun of "Caesar" Mark Zuckerberg sells out in 30 minutes
Huawei tried to bribe 15 former members of the European Parliament, sources say
Pirate Bay’s first financier dies in plane crash
Dutch EncroChat phone reseller faces 4 years in prison
DeepSeek’s chatbot can be used to generate ransomware and keylogger
Booking.com scammers unleash credential-stealing malware havoc against hosts
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked