Tricksters have been misleading users about the functionality of apps by displaying bogus download numbers

It seems that tricksters on Google Play have found another way to make their deceptive apps appear more trustworthy to users – that is, at least at first sight.

The trick takes advantage of the fact that apart from the app icon and name, there is one more element the user sees when browsing apps – the developer name, displayed just below the app name. And since unknown developer names are no use for popularity-boosting purposes anyway, some app authors have been setting fictitious, high numbers of installs as their developer names, in an effort to look like established developers with vast userbases.

We have discovered hundreds of apps using this and similar tricks to deceive users. The apps we’ve analyzed were either misleading users about their functionality or had no functionality at all, yet most display many advertisements.

The freedom to set any number of choice as developer name has inspired some remarkably ambitious claims – one game developer, for instance, would like users to believe his games have been installed more than five billion times. (Note: the highest-ranking apps in terms of number of installs fall into the category “1,000,000,000+” at the time of writing; this category includes Google Play itself, Gmail, Facebook, WhatsApp, Skype, etc.)

In one particular case, we saw a developer change his name from a fake installation number to an actual developer name over time, which might indicate the trick is used as a temporary measure aimed at boosting the popularity of newly uploaded apps.

Besides using fake installation numbers to attempt to manipulate users into downloading their apps, some app authors have also been using phrases indicating legitimacy, such as “Legit Apps”, “Verified Applications”, and “Trusted Developers App”. Some also incorporate a check mark symbol, similar to those used as “verified” badges for the accounts of well-known personalities and brands on various social media sites. These are variously included in app icons and names, as well as in developer names. As Google Play does not offer a developer account verification service, any app sporting such a tag should necessarily be considered suspicious.

How to stay safe

The tricks described in this article are simple, yet potentially effective, ways to mislead users, particularly those who choose apps based on popularity. While none of these apps were outright malicious, these techniques could easily be misused by malware authors in the future. Fortunately, the tricks are also simple to spot, if you know what to focus on: