Apple and Google say they're doing their best to keep malicious apps out of their stores, but some still find their way in.
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, wannabe runner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise cybersecurity, digital privacy, IoT, consumer tech, smartphones, wearables
Be careful what you download. Just because an app has made it through the usually strict vetting of Apple or Google doesn't guarantee that it's 100% safe.
To their credit, both tech giants are constantly on the hunt for apps that don't play by their rules. For example, Apple says it rejected nearly 1.7 million app submissions last year for failing to meet its standards for privacy, security and content, while Google says it stopped 1.4 million policy-violating apps from being published in its store.
Despite those efforts, malicious apps out to steal your money or personal information still make it through the process. Researchers routinely find apps infected with malware designed to steal data, turn devices into bots used in denial-of-service or spam attacks or just load up your phone with unwanted ads that they can harvest fake clicks from to make money.
Generally speaking, those research reports quickly grab the attention of Apple and Google, who more often than not immediately remove the offending apps from their stores and take action against the developers behind them. But researchers warn that an app doesn't have to be obviously malicious, or even violate Apple or Google's rules for developers, to cause problems for users.
British cybersecurity company Sophos recently released a report singling out apps in both the Apple and Google stores that it says are using the popularity of open-source artificial intelligence tools like ChatGPT to rip off consumers.
According to Sophos, the apps take advantage of loopholes in app-store policies to masquerade as ChatGPT-based chatbots, then overcharge those suckered into downloading them for their use.
The researchers say the free versions of the apps have "near-zero functionality" and inundate users with ads, which then prompts them to sign up for paid subscriptions that could cost them hundreds of dollars per year.
"They're banking on the fact that users won't pay attention to the cost or simply forget that they have this subscription," Sean Gallagher, a principal threat researcher at Sophos, said in a statement.
Gallagher adds that the apps are specifically designed so that users might not get much use from them after the free trial ends, which could get them to delete the app without realizing that they're still paying for it on a weekly or monthly basis.
The researchers investigated five of the so-called "fleeceware" apps, which all claimed to be based on ChatGPT's algorithm. While OpenAI, the company behind ChatGPT, offers a free version of the AI online, the apps in question were charging hefty subscriptions to do much of the same thing.
For example, one app charges $6 per week after a three-day trial. That may not seem like much, but it adds up to more than $300 a year.
While some of the apps singled out in the report have since been removed from their respective app stores, others remain. The Sophos researchers noted in their report that because the apps are designed to sit just on the edge of violating developer rules, they don't automatically trigger the kinds of automatic app store rejections that overtly malicious apps do.
They also pointed to the fact that both Apple and Google take hefty cuts of the money developers make from app subscriptions, giving them a strong financial incentive to allow the apps to stay in their stores and let the developers keep charging consumers.
Google released a statement saying that as noted in the Sophos report it has removed some of the apps mentioned and continues to investigate the others. It also pointed to its recent efforts to strengthen its anti-fleeceware policies. Apple didn't respond to a CNET request for comment.
Ultimately, it's up to users to be on the lookout for potentially misbehaving apps. Even when apps are removed from the stores, whether they be overtly malicious or just poorly made and scammy, the researchers say new ones quickly pop up in their place.
Here are some tips for spotting potentially malicious and scammy apps.
How to spot scam apps
Check the permissions. Listings in both Apple and Google's app stores will show you exactly what a particular app wants to access in terms of your personal information. Sure, a maps app probably does need to access your location from time to time, but does that silly, time-wasting puzzle game you love so much? Don't be afraid to say no if an app asks for access to data it doesn't need.
Audit your apps. This can also be good for keeping your monthly spending in check. The settings in both Apple and Android phones will show you what apps you're subscribed to and how much you're paying for them. Sometimes it's easy to forget that you're still paying for apps that you just don't use anymore. And if your "free trial" has turned into a hefty recurring charge, you'll be able to see that too.
Remember, good reviews don't automatically equal legitimacy. App reviews can be faked and copied. Don't automatically assume that just because an app has thousands of five-star reviews that it's safe. Recently released apps that already have lots of positive reviews should particularly be treated with suspicion. On the flip side, numerous bad reviews and low ratings also should be seen as red flags.
Check the icon and look for typos. If an app's icon looks just like that of a popular one but is a little bit off, it could be a knock off. Lots of typos in an app's description could also be a sign of that.
Be skeptical of big claims. Just like when it comes to emails and texts, apps that offer great deals on hot retail items, cheat codes for games or anything else that's in high demand at the moment have the potential to be scams. Buyer beware.
Avoid third-party app stores. The apps in both Apple and Google's stores are vetted by those companies before they're allowed in. Apps downloaded from elsewhere might not be. They could easily be carrying malware or looking to rip you off. Avoid them.