Lukas Stefanko, Malware Researcher at ESET explains the tricks that are played on Google Play for misleading its users about the functionality of apps by displaying bogus download number.
It seems that tricksters on Google Play have found another way to make their deceptive apps appear more trustworthy to users – that is, at least at first sight.
The trick takes advantage of the fact that apart from app icon and name, there is one more element the user sees when browsing apps – the developer name, displayed just below the app name. And since unknown developer names are no use for popularity-boosting purposes anyway, some app authors have been setting fictitious, high numbers of installs as their developer names, in an effort to look like established developers with vast userbases.
We have discovered hundreds of apps using this and similar tricks to deceive users. The apps we’ve analyzed were either misleading users about their functionality or had no functionality at all, yet most display many advertisements.
The freedom to set any number of choice as developer name has inspired some remarkably ambitious claims – one game developer, for instance, would like users to believe his games have been installed more than five billion times. (Note: the highest-ranking apps in terms of number of installs fall into the category “1,000,000,000+” at the time of writing; this category includes Google Play itself, Gmail, Facebook, WhatsApp, Skype, etc.)
In one particular case, we saw a developer change his name from a fake installation number to an actual developer name over time, which might indicate the trick is used as a temporary measure aimed at boosting the popularity of newly uploaded apps.
Besides using fake installation numbers to attempt to manipulate users into downloading their apps, some app authors have also been using phrases indicating legitimacy, such as “Legit Apps”, “Verified Applications”, and “Trusted Developers App”. Some also incorporate a check mark symbol, similar to those used as “verified” badges for the accounts of well-known personalities and brands on various social media sites. These are variously included in app icons and names, as well as in developer names. As Google Play probably does not offer a developer account verification service, any app sporting such a tag should necessarily be considered suspicious.
How to stay safe
The tricks described in this article are simple, yet potentially effective, ways to mislead users, particularly those who choose apps based on popularity. While none of these apps were outright malicious, these techniques could easily be misused by malware authors in the future. Fortunately, the tricks are also simple to spot, if you know what to focus on:
- Make sure to only take the number of installations for each app from the app’s Google Play page, as this is the official number. This will be visible in the “Additional Information” section at the bottom of the page.
- Keep in mind that Google Play does not have a “Verified” badge signifying the legitimacy of apps. It does have the “Editor’s Choice” category, marked by the Editor’s Choice badge in the top right corner of the app’s Google Play page.
- Make sure you read user reviews before downloading any app.
- If an app only has a small number of real installs, and/or was only released within the last few days, leave it for others to be the guinea pigs no matter how much you think you want it.