A game uploaded by BitDefender, left, was re-uploaded with malicious permissions within days.
The next time you're looking to download the latest version of Facebook Messenger, Twitter or any other popular app, be sure to double-check where it comes from. There are thousands of sketchy apps that mimic official ones — and add anything from banner ads to privacy-invading permissions.
The nature of the Google Play Store and of how Android apps themselves are made makes it relatively easy to take apart a popular app, add a piece, and resubmit it under a different name. It may sound shady, but the idea of a hackable and modular app system can be used for good: combining several messaging apps into one, for instance.
But the nefarious app-makers in question aren't looking to save you time and trouble: They want to make a few bucks off ads, scrape your phone for contacts they can sell, or spam your Twitter feed with links to malware-infected websites. (Apple users don't have this problem — but the capabilities of iOS apps are also much more limited.)
A roundup by BitDefender found that such repackaged apps, which they report make up more than 1 percent of the total, have quite a bag of tricks at their disposal:
It's not easy to tell which permissions an app really needs — perhaps it wants your contact list so you can share things with friends easily, or it needs to access system settings so it can give you notifications — plenty of legitimate apps ask for such things. So how can you tell the difference?
To begin with, you should check from whom the app was released. Apps claiming to be "Facebook"-this or "Insta"-that but not from the companies themselves are far more likely to be problematic.
Read reviews, too. If an app sounds too good to be true ("Twice as fast as the official app!" "Uses half the data!"), see whether others have found it to overpromise or even have negative effects. Of course, there are plenty of spam reviews that obscure the real ones, which is yet another problem.
One thing, however, seems to be a dead giveaway. If an app is obviously trying to imitate the icon or name of a popular app, but with subtle changes — a mirror image, a slightly different shade of blue on the icon, "Messaging" instead of "Messages" — chances are they're banking on people not looking closely, and should be avoided.
A little vigilance may save you some trouble down the line — so keep your eyes open and back your phone up often just in case.
Devin Coldewey is a contributing writer for NBC News Digital. His personal website is coldewey.cc.
First published November 19 2013, 1:34 PM