1

Sometimes becuase some packages are not available in your region google play you download the APK file and install it on your android, is there way to confirm that the installed package is orginal and not injected with trojan? How danger to your security to install package from outside the google play?

Mr.lock
  • 345
  • 5
  • 14

2 Answers2

3

When installing apps from the Google Play Store, you're fairly safe since apps are verified by Google before being made available. Google also has a feature called Google Play Protect, which scans your device for malicious apps, including third party apps, and malicious activity.

Of course, there are a few exceptions to this rule, like the recent indicident where hundreds of malicious apps infected the Google Play Store.

When installing an app directly from the APK, there is a higher risk of the APK containing malware since you give Android permission to install any third party application. Some things to consider to make sure the APK is safe:

VirusTotal

Upload the APK to VirusTotal and scan it for issues including malware.

NViso ApkScan

Scan the APK with NViso ApkScan and get a detailed report of the file.

Decompile Java

Decompile the Java source code and examine exactly what it's doing. There's a guide on how you can do this here.

Permissions

Look at the permissions the app is asking for and determine whether they look suspicious. Here are some permissions which may raise suspicions (taken from here):

  • READ_CALENDAR
  • WRITE_CALENDAR
  • CAMERA
  • READ_CONTACTS
  • WRITE_CONTACTS
  • GET_ACCOUNTS
  • ACCESS_FINE_LOCATION
  • ACCESS_COARSE_LOCATION
  • RECORD_AUDIO
  • READ_PHONE_STATE
  • CALL_PHONE
  • READ_CALL_LOG
  • WRITE_CALL_LOG
  • ADD_VOICEMAIL
  • USE_SIP
  • PROCESS_OUTGOING_CALLS
  • BODY_SENSORS
  • SEND_SMS
  • RECEIVE_SMS
  • READ_SMS
  • RECEIVE_WAP_PUSH
  • RECEIVE_MMS
  • READ_EXTERNAL_STORAGE
  • WRITE_EXTERNAL_STORAGE

See more on permissions here.

App Signature

Make sure the app signature is valid. There's already an answer on Stack Exchange which explains how to make sure the signature is valid.

Avoid Third Parties

Don't install apps from third parties at all. It's much safer to get apps from genuine sources like Google Play Store where the apps are already scanned.

Available Updates

If there is a version of the app on the Play Store, after installing the APK you can check the app on the Play Store and if there is an option to update the app due to the APK being old, this would suggest that the APK is genuine.

Joe
  • 2,734
  • 2
  • 12
  • 22
1

It's about as safe as drinking from a random cup that you found on a street. A lot of the time, it probably won't harm you, but occasionally you'd find that it might not actually contain just what you expect it to be.

Installing from outside of Play Store could be safe, if you downloaded the apk from the developer's official website and if you check the package's cryptographic signature against the developer's (assuming the developer published their certificate in a trust worthy way and you knows how to correctly verify cryptographic signature). This is also assuming that the developer manages their official site competently, which if they consider Play Store to be their primary distribution point, they might not have taken too much time setting up their website securely.

It could also be safe if by third party, you mean third party app stores like Amazon App Store or F-Droid, when the app are uploaded there by the original app developer.

But it could also be virus infected if you downloaded the apk from a random download or torrent site. Sites that distributes hacked apks are particularly dangerous, as they often modified the apk to bypass any access control that might exist in the apk, which would make it impossible to check its cryptographic signature to detect modifications.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93