Why Google’s warning about sideloading apps should be taken seriously

Late last month, Google issued a warning that highlighted the potential dangers of sideloading apps. The guidance was predominantly aimed at any Huawei smartphone users looking for a way to get around the ongoing Android ban, but it’s a piece of advice that’s been repeated countless times before. Is sideloading really as dangerous as it sounds?

First, some background. Huawei was blacklisted by the US government last year and, as a consequence of this, the latest Huawei phones are unable to run the full version of Android. In practical terms, that means users officially can’t download popular Google-made apps like Gmail, YouTube and the like, and can’t access the Google Play Store either.

In response, Huawei is trying to populate its own app store, called App Gallery, with as many big-name apps as possible. But a host of massive ones are missing, including Facebook, WhatsApp and, of course, Google’s entire portfolio.

This is creating two potential issues:

• Some unofficial apps that are designed to look like gateways to some of those missing apps have started gaining traction on App Gallery.
• Some Huawei phone users are looking to download some of those missing apps from unofficial sources − better known as ‘sideloading’.

Here’s what Google says about sideloading apps:

“Sideloaded Google apps will not work reliably because we do not allow these services to run on uncertified devices where security may be compromised. Sideloading Google’s apps also carries a high risk of installing an app that has been altered or tampered with in ways that can compromise user security.”

So what could go wrong if you sideload an app?

“I don’t want to moan about third-party app stores because actually they serve a purpose,” Raj Samani, chief scientist and fellow at McAfee, told Trusted Reviews.

“There are app stores that are language-specific, there are app stores that give you content that you wouldn’t get in the traditional app stores. I don’t think they’re bad per se.

“They are riskier [than official app stores] but it’s percentage points. There’s not a 90/95% likelihood that you’re going to get malware [from sideloading an app].”

In order to appear on Google Play, an app requires approval from Google. Even then, dodgy ones seem to get through on a fairly regular basis.

Apps that are available from unofficial app stores, however, don’t need to be vetted. Therefore, whenever you sideload an app you’re taking a much bigger risk with your security.

“What seems to be a bargain in some cases could turn out to be a malicious or fake app, designed to steal your personal data,” Steve Wilson, the director of NortonLifeLock for the UK and Ireland, told Trusted Reviews.

“It’s best practice to stick to official app stores and research what you are opting in for. Ensure you understand what you’re installing onto your smartphone and check what access you are providing to new applications.”

Advice that’s regularly dished out to smartphone users is to check an app’s reviews and ratings, and find out how long it’s been available for, before downloading it.

However, according to McAfee, cybercriminals are making it increasingly difficult for users to tell a good app from a malicious one.

Last year, the company discovered a new malware family, called LeifAccess or Shopper, which can post fake reviews designed to make malicious apps appear not only harmless, but good.

“One example of an app that appears to have many fake reviews is Super Clean-Phone Booster, Junk Cleaner & CPU Cooler,” McAfee’s new Mobile Threat report explains.

“This app had a 4.5 star average rating and more than 7000 reviews, many of them containing phrases provided by LeifAccess command and control server such as ‘very simple and useful’, ‘very good mobile app cleaner’, ‘Great, works fast and good’, and 25 other phrases in more than one language that can be used alone or in combination to make them appear varied and more genuine.

“LeifAccess also looks for reviews that match words and phrases related to positive reviews and can give them a five-star rating to boost their visibility and ranking. At best, this increases the likelihood of users downloading poor quality apps. At worst, these fake reviews may legitimize malicious apps and perpetrate additional frauds. Super Clean-Phone Booster, Junk Cleaner & CPU Cooler has since been removed from Google Play because it was found to be distributing LeifAccess via malvertising.”

The moral of the story? Not all apps that are available to sideload are dangerous, but if you want to stay safe it’s best to stick to official sources.

Related: Best VPNs for security and privacy

Though reviews and rankings aren’t foolproof, on the whole they’re still good indicators of legitimacy. Just take more time when you go through them, and keep an eye out for repeated use of the same simple phrases.

“You just need to be conscious of what you’re doing,” Samani said. “Whether it’s an official store or a third-party store, you need to ask: do I need this app? Do I absolutely need it?”