The quick and easy guide to spotting a dodgy app

Man using a magnifying glass to look at a smartphone
(Image credit: Shutterstock)

With 5 million+ apps on Google Play and the App Store - many making huge claims about how amazing they are - it looks like it should be easy to find the perfect product for you.

The flaw in this scheme is that many app descriptions are pure fiction.

This usually isn't about major crime, like hackers trying to infect your device with the latest ransomware (although that sometimes happens, too). Most of the time, it's just developers pretending they're something they're not - perhaps claiming to be some top VPN provider with top-notch technology, when they're actually pushing an open-source app using the slowest public VPN servers in the world. The aim... to make money by displaying a new ad every 10 seconds.

If the app is something simple like a free game or a system tool, you may not care very much. If it doesn't work as promised, just uninstall and try something else.

If the app handles some system-critical function, though - such as an antivirus or mobile VPN app, and you don't know the developer, then it's a good idea to check the app looks trustworthy before you install it. Keep reading for quick tests you can make, and red flags to look out for.

  • Best VPN: stay safe online and get around geo-restrictions

Google Play app descriptions include the developer's contact details

(Image credit: Google)

Contact details

The best way to begin your app investigation is by checking out the contact details. Do you see everything you expect?

Is there a contact email address, for instance? A website link? Look closely, because the app stores won't always do much to help. 

If the developer hasn't provided an app URL, Google Play won't warn you about that - it just doesn't display the 'Developer Website' box in the app listing. It's up to you to look for that and realize it's missing.

Check that these details are using the provider's own domains, too. Many free apps have generic Gmail contact addresses, for instance, or host their websites on free hosting accounts. That's not evidence they're malicious, but it suggests they're not powered by a real company. And if they're claiming they are, we think that's a red flag.

Mixed branding

Look at the branding of your target app. Is it consistent, does it make sense? 

Go to the Google Play page for Avira Phantom VPN, for instance, and you'll see the app ID (the part after 'id=' in the Google Play URL) is com.avira.vpn; the name is Avira Phantom VPN; the developer is Avira, the email is info@avira.com and the website is https://www.avira.com. Very consistent, just what we'd expect, thumbs up all round.

But suppose you found a free VPN with an app ID of com.reallygoodvpn.com, a name of Ultrasonic VPN, a developer called BestPossibleQualityVPN, with an email of mikesvpn@gmail.com and a website at SomethingStinksVpn.com? Okay, we're exaggerating, but something does probably stink.

Issues like this can't tell you whether an app is harmful, but they're a sign that the app and developer names might not mean very much.

In the free VPN world, many Android VPN apps are owned by the same people. They'll try to disguise this by releasing apps occasionally with new 'brands' ('Flying Fox VPN', 'Oak Tree VPN', 'Pine Furniture VPN', they really don't care), but it's the same product underneath.

Should you trust app developers who take this much trouble to hide what they're doing? It's your call, but we'd say not, especially with important services like a VPN.

Person browsing Google Play Store

(Image credit: senengmotret / Shutterstock.com)

Browse the website

You've looked at the app page, it has a website with a custom domain which matches the product name? That's good, but it's just the start.

The app stores might display a website URL, but that's no guarantee it works or contains anything useful. Don't just look at the link, click it, see what happens. We've seen 'account expired' messages, 'error 404', template sites with dummy 'lorem ipsum' text, one VPN app even had a link pointing to a blog with posts about porn sites. If you see anything like that, it's a strong sign that this isn't an app to be trusted (unless it's a 'find the best porn sites' app, maybe.)

Maybe the site appears, looks good, seems to be saying the right things. That's great, but dig deeper. Look for links or areas of the site that would take real effort to fake. Is there a Twitter or Facebook link? Click it, make sure it works, see how often the company posts. With something technical, look for a Support section and double check how many articles it has.

Unused social media accounts don't necessarily mean much, as small developers might not have time to make social media posts, so be careful how you interpret that.

We often see sites that are little more than shells, though, with links to social media accounts and other areas which are broken or just go back to the home page. If it feels like the site is set up to fool users who aren't looking closely, we think that's a real red flag.

Privacy policy on a smartphone

(Image credit: Shutterstock)

Small print

We all hate website small print, but it can be very useful if you're investigating.

At TechRadar, we always have a good read of the VPN small print when we reviewe services. It should have a privacy policy of its own. But writing one from scratch takes time, and knowledge, and experience, so many free apps just copy the privacy policy of a commercial VPN.

To check this out, go to the privacy policy of any VPN, free or commercial, and look for a distinctive sentence or two which someone else might decide to steal. 

We went to ExpressVPN and found this: "We do not collect logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries." That's long and detailed enough that it's unlikely anyone would come up with the same sentence by accident, but it's also a very good privacy summary which other services might want to <cough, cough> 'borrow.'

Pasting the sentence into Google showed plenty of 'borrowing', too, with 3,460 hits including many free VPNs... and a handful of commercial ones, too!

Be careful how much you read into this: a little copy-and-pasting isn't absolute proof that this is a dodgy app. But if someone's lifted 95% of their privacy policy from NordVPN, while pretending it's their own work, then that's probably a good sign they're not to be trusted.

BlackListMaster searches many blacklists for domains and IP addresses

(Image credit: BlackListMaster)

Going further

If your app has a website, it's worth checking whether that's being used for anything else. Type the domain into the Subdomain Finder and see what comes up. If the app points to vpn.[domain].com, but other subdomains include porn.[domain].com, casino.[domain].com and bitcoin-trader.[domain].com, then maybe the provider isn't as focused on privacy tools as you'd expect.

Enter site:domain.com at Google, too, to see what other pages and images appear. Are they all about the app you're investigating, or is the developer running a bunch of other businesses from the same site?

There are plenty of regular domain checks you can make, too, if you'd like to be thorough. Was the site registered yesterday, or has it been around for years? Run a WhoIs query to find out. Is it on a spam blacklist, maybe? Enter the domain at BlacklistMaster for a report.

None of these tips can absolutely prove that an app is dodgy, so we'd treat the results cautiously. If a provider fails most of these tests, though, then they're probably best avoided - get back to your favorite app store, run another search and find someone else.

Read more:

Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.