As an Android user, you might assume it’s safe to download apps from the Google Play Store. That’s understandable, but not entirely accurate.

Stringent security checks make the Play Store the safest place to get Android apps, but not an entirely safe one. Google’s app store is a prime target for both cybercriminals and developers who monetize (and therefore compromise) your data, and will never be 100% risk free.

That’s why you need to shop for apps conscientiously: vetting apps before downloading them, auditing apps you’ve already downloaded, and securing your device data in case of a breach.

How malicious apps get past Google

Last year, Google blocked 1.75 million policy-violating apps(nuova finestra) from publication and banned over 80,000 developer accounts. Google Play Protect(nuova finestra), which is built into most Android devices, blocked 266 million risky installation attempts.

But Google can only do so much. Cybercriminals consistently find ways to bypass Google’s pre-publishing and pre-installation scans.

Popular strategies: 

  • Submitting clean apps for review then pushing malicious activity via remote updates.
  • Disguising malicious apps as simple (and functional) utility apps such as a document scanner or PDF reader.
  • Disguising malicious apps as a security or antivirus app, a particularly devious and effective disguise — if a user is anxious to fix a problem, they’ll be less likely to scrutinize before installing.

2,029 apps(nuova finestra) are published on the Play Store every day, so it’s inevitable that some malicious apps slip through Google’s net. Last year, Bitdefender uncovered an ad fraud campaign codenamed Vapor(nuova finestra) that involved at least 331 malicious apps, some of which were collecting user credentials and credit card data.

These apps were downloaded from the Play Store over 60 million times.

Legitimate apps can still put your data at risk

Malicious apps aren’t the only hazards to watch out for on the Play Store. There are also legitimate apps that quietly collect and store your personal and tracking data, and share it with third parties, such as ad networks.

Last year, NowSecure tested 25,000 apps(nuova finestra) across iOS and Android and found 75% of iOS apps and 70% of Android apps tested collected both sensitive data and tracking domains.

Google allows these apps on the Play Store because their developers openly disclose what data they collect and why in the data safety section of the app’s product page. 

Google tightened its policy up in 2025, blocking 255,000 apps(nuova finestra) from gaining “excessive access” to sensitive data. That leaves thousands of apps unblocked that collect data within the letter of Google’s policy, but still far in excess of what users might expect.

This isn’t just a privacy concern: it’s also dangerous. Legitimate but data-hungry apps routinely share user data with advertising SDKs and analytics partners. These third parties can then pass that data on to unscrupulous data brokers

Every link in this chain is a potential breach-point. If your data is compromised, you might not find out about it until it’s too late.

What to look out for: a five point checklist 

There’s no authoritative, up-to-date blacklist of banned (and should-be-banned) apps that you can refer to.

But there are things you can look out for to identify risky apps:

  1. Check the data safety section: Has the developer explained what data they collect and how they will use it? An empty data safety section is a big red flag, of course, but so is a policy that doesn’t match with the app’s functionality. A torch app shouldn’t need to know your contacts.
  2. Read the permissions on install: Once you’ve installed an app, it will often request access to your location, contacts, storage, location, and/or microphone. Sometimes that makes sense, but other times it might seem excessive. Again, does a wallpaper app need to know your location?
  3. Check the developer name and history: Is the developer a named company with other published apps and a web presence? Or is it a one-person account with this single app to their name, and no trail to add context? 
  4. Check if reviews are real: Fake reviews tend to show up in obvious patterns. A wall of five-star reviews posted in a short period is a known manipulation tactic. Check for critical reviews interspersed with positive reviews, and for a wide spread of dates.
  5. Watch out for free utility apps: The most common disguises for both malicious apps and data-harvesting apps are free flashlight and battery apps, keyboard apps, free photo editors, weather apps with location access, and ad-supported games. If an app is free and you can’t see how its function could possibly make its developers money, then the answer could be that your data is their revenue model.

How to protect your data 

Even if you’ve done your due diligence, you may still end up downloading a malicious app from the Play Store. But with the right protections in place, you can limit the damage that app can do.

Encrypt your connection with Proton VPN

Malicious apps will often attempt to transmit your data (including your browsing behavior, location, and device identifiers) over an unencrypted connection.

Enter Proton VPN: a secure VPN(nuova finestra) which

  • Encrypts all data to and from your phone at network level, making transmission and interception of browsing behavior, location, and device identifiers significantly harder
  • Prevents network-level surveillance on public WiFi (a common attack vector(nuova finestra) for compromised apps) 
  • Blocks data transmissions that analytics SDKs rely on (via built-in tracker blocker NetShield(nuova finestra)), limiting what data developers can share with third parties

Protect your credentials with Proton Pass 

Malicious apps use invisible keyloggers and phishing overlays to steal login credentials. This can be particularly damaging if you — like many — reuse the same passwords across multiple accounts.

Proton Pass is a secure password manager that addresses both problems:

  • Generates unique passwords for every account you create, so if one gets breached, they don’t all get breached
  • Protects passwords, passkeys and credit cards with end-to-end, zero-knowledge encryption. This means your credentials are encrypted on your device before they leave it, and not even Proton can access them.

Know how to remove malware 

If you’re concerned that your device may have been compromised, or you want to know what to look for when it is, make sure that you recognize the signs that your phone has been hacked.