Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here
CLOSE ×
Search
CLOSE ×
Search
Leaving AARP.org Website

You are now leaving AARP.org and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

8 Warning Flags to Help You Find Fraudulent Apps

From fleeceware and hard-to-cancel subscriptions to malware and malicious code, here’s what to be on the lookout for


spinner image a hooded criminal on a laptop
Getty

There’s a frightening reality when it comes to fraud: The bad guys generally know where to find you.

And crooks are snookering victims through myriad apps that people willingly download onto their smartphones. App fraud takes different forms:

  • Some apps carrying malware or malicious code are copycats if not outright fakes.
  • Some provide what is promised in their descriptions but lure you with free trials that quickly convert into costly and difficult-to-cancel subscriptions.
  • Some fleece consumers for services that are free or inexpensive elsewhere.

And sometimes scammers exploit perfectly legitimate apps from reputable developers for nefarious purposes — to steal your data, identity or money.

“Facebook started with good intentions to connect people from all over the world, but we know it’s a hotbed for scams. Same with LinkedIn, Instagram, Words With Friends, any of those spaces,” says Amy Nofziger, director of victim support for the AARP Fraud Watch Network. “Where people are at, the scammers will meet you there, and they will use them to their advantage.”

Folks download apps for lots of swell reasons: convenience, entertainment, social networking, utility and because they may even save money. The prevalence of apps fraud is not a reason to ditch them.

But you should not have a false sense of security because you are using an app instead of patrolling cyberspace on your PC or reading suspicious emails. In those situations, you may have been conditioned to be more cautious.

Here are some of the warning flags of potentially fraudulent apps, along with steps to minimize the risk.

1. Consider where the app came from

“The biggest threat as far as getting a downright malicious app is getting it from a website instead of an app store,” said Christopher Budd, former senior global threat communications manager at Avast, a digital security firm headquartered in the Czech Republic. Budd strongly recommends sticking with Apple’s App Store for iOS and the Google Play Store for Android.

Even so, the risks are generally elevated on Android, experts suggest. Apple makes app developers go through tighter hoops before inviting them into its App Store.

Android apps have a potentially less secure “open source” flavor. Open source software can be modified and shared because its design is publicly available. 

Historically, if an Android version of a popular iOS app lagged, “the bad people would jump in during that window of opportunity and start offering their malicious look-alike for Android before the actual legitimate one came out,” said Budd, who now leads a cybersecurity team at the United Kingdom-based Sophos security firm.

But even Apple concedes that its App Store isn’t 100 percent immune from fraud. Nearly 2 percent of the 1,000 highest-grossing apps on the App Store are scams, according to a 2021 Washington Post analysis. Consumers were bilked out of an estimated $48 million.

Apple said it prevented more than $2 billion potentially fraudulent transactions in 2022 and rejected nearly 1.7 million app submissions for failing to meet the company’s standards for quality and safety. Another 428,000 developer accounts were terminated for possible fraudulent activity, and some 153,000 submissions for being spam, copycats or misleading.

Some bogus apps still slip through. On Feb. 7, LastPass alerted customers in a blog post that a copycat app attempting to pose as the company’s password manager app showed up in Apple’s App Store. Apple removed the fraudulent app a day later and was also planning to kick the developer out of the Apple Developer Program.

2. Carefully investigate what’s free

“Freemium” apps encourage users to spend money for extra features to remove advertising or advance in a game. Scammers aren’t exactly transparent about your financial obligations.

“Dig in on the store site to see what the payment requirements are,” Budd says. Closely examine the terms and conditions and in-app purchase descriptions, and be on the lookout for recurring charges. Make sure you are also aware of deadlines before payments begin. Report abuses.

Periodically review subscriptions you have. On an iPhone, navigate to Settings | Your Name | Subscriptions. On Android, head to the Play Store, tap your profile picture, then Payments & Subscriptions. Check your bank statements for app charges that may be billed outside of Apple or Google.

In 2021, researchers at Avast identified around 200 so-called fleeceware apps with more than 1 billion downloads and $400 million-plus in revenue. Such apps, found in both the Apple App Store and Google Play Store, hooked consumers with short-term trials, only to change them to plans that ran as high as $3,432 annually.

In some instances, charges continued even after people deleted apps. The flagged fleeceware included camera filters, fortune tellers, image editors, musical instrument apps, palm readers, QR code and PDF readers, and slime simulators.

To mitigate some risk, “use the applications and utilities that came with your phone” whenever possible, says Alexis Hancock, director of engineering at the Electronic Frontier Foundation, a nonprofit that defends civil liberties in the digital world.

Budd has another tip that may work for some families, especially those trying to protect an older relative. Head to the parental-control sections inside the settings on the phone — they’re not just for safeguarding kids — and disable or restrict in-app purchases.

3. Read recent reviews and comments

Reviews are a mixed bag. Just as apps can be fake so can reviews. 

A flood of fawning and repetitive four- or five-star reviews can be a sign of something fishy. Read negative reviews, which may be more revealing.

“If [an app developer] made enough people mad, that usually helps” you detect an issue, Hancock says. See how many downloads an app has, and do your due diligence on the developer.

spinner image Red AARP membership card displayed at an angle

Join AARP today for $16 per year. Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP The Magazine. 

4. Know to whom you are talking

A telltale sign of a scam comes the instant you see a money request, typically from a swindler pretending to be from Amazon, the IRS, Social Security, a sweepstakes company or tech support. 

Or perhaps it's someone feigning romantic interest or claiming to be helping a loved one in an accident. Scammers use social engineering and prey on your emotions.

Don’t let your guard down even if you initiated contact with, say, someone you reached out to who was advertising the sale of cute puppies, Nofziger says.

App scams don’t necessarily start inside an app. An exchange can start over the phone, through a bogus phishing email, via text or in an instant message before the person asks you to download an app.

When the con artist does, your suspicions should be heightened. The app may surreptitiously unleash malware or spyware or effectively give the person the keys to your data. Nofziger has heard from victims conned into letting scammers remotely control their phones through apps such as Team Viewer and AnyDesk.

“If you have banking information, contact information, Facebook, whatever it is on your device, they literally have access to it,” she says.

5. Don’t send money

Nofziger is equally wary of peer-to-peer apps, including Cash App, Venmo and Zelle, that you might use to pay a babysitter or the kid who cuts your lawn. 

They’re convenient and legitimate. But they lack the protections you get with a credit card, which again comes down to trusting the recipient. Zelle, which is owned by seven big banks, spells out on its website that because you authorized a payment that turned out to be a scam, you may not be able to get your money back.

“There’s no problem with the app per se,” Budd says. “What’s happening here is you’ve been duped or coerced into using that app as your conduit to facilitate the transfer of money to the fraudsters.”

6. Avoid pressure to move to another app

Criminals may ask people to download Google Chat, Telegram, WhatsApp or other communication apps to “get the person off of the platform where they met and take them to a channel that is not being monitored,” Nofziger says. 

Match.com, for instance, advises singles to keep exchanges inside the app until they get to know their potential dating partner better.

7. Don’t share location, contacts unless necessary

“Your phone is with you at all times, and a lot of applications ask for location information,” Hancock says. “I would say that’s the most leaky information probably for any app.” 

Don’t reveal other personal information inside apps, including your contacts. This can aid in constructing profiles around you or them and be used to target you with advertising or, worse, scams.

8. Run security software

As a last line of defense, especially on Android, make sure your device has up-to-date security software. That includes antivirus programs or a virtual private network (VPN) app from vetted providers.

“I never say anything makes you completely protected, but those layers of security can help you be more diligent,” Hancock says. She also recommends checking the security and privacy settings on your phone that are turned on by default, and if you’re not sure what they do, ask a tech-savvy friend.

“Knowledge is power in this case,” Hancock says, and it may help you avoid fraud.

Beware of ‘stalker’ or spyware apps

Stalking apps, which also go by the names spyware and stalkerware, are apps that can surreptitiously monitor what you are doing, including passwords, phone conversations, and texts and emails. 

Some can turn on your camera and microphone remotely. Often they are surreptitiously downloaded onto your phone by a domestic abuser or a disgruntled ex.

Signs that such an app may be on your phone include a battery that seems to drain faster than it used to, changes in the phone’s settings, an unexplained increase in your data use and an abuser who either had physical access to your device or who seems to know an awful lot about your phone’s activity, according to the Federal Trade Commission. 

On Sept. 1, 2021, the FTC sued the parent company of the stalkerware SpyFone app. The FTC says you won’t want to tip off an abuser by uninstalling the app but instead should contact a domestic violence counselor and possibly law enforcement.​

This story, originally published September 10, 2021, has been updated with fresh statistics, and news of a fraudulent LastPass app.

Unlock Access to AARP Members Edition

Join AARP to Continue

Already a Member?