Android scam apps with 10 million downloads deleted by Google — what to do now
Dodgy apps downloaded more than 10 million times
Google has kicked 151 Android apps out of the Play Store for being scams, and you'll want to make sure none of these apps are installed on your phone.
The apps, as detailed by cybersecurity firm Avast in a report last week, appear to be games, custom keyboards, QR code scanners and other utilities advertised on TikTok, Instagram and other social-media platforms. But they in fact sign you up for premium-SMS subscriptions costing up to $40 per month. Altogether, these scam apps have been downloaded more than 10 million times.
- This Android malware seizes total control of your phone — what to do
- The best Android antivirus apps to protect your phone
- Plus: ZipCharge Go is like an emergency gas can for your Tesla
As Avast's Jakub Vavra put it, these scams "earn a bad actor or actors money while ultimately leaving victims completely empty-handed."
There's no longer any danger that you'll be installing one of these specific apps, but it's possible that you may have installed one in the past. If so, you'll want to remove it. Here's how.
How to tell whether an app has been removed from the Google Play Store
First, we'll start with a link to a list that Avast put online detailing all the dodgy apps. The list is searchable: Next to the little magnifying-glass icon at the beginning of the list, plug in the name of any app about which you're uncertain to see if it's included.
If you do find a matching name, don't delete the app just yet. Many Android apps have similar or identical names, so you'll want to make sure you've got the right one.
Fortunately, Android apps all have unique "package names," which you'll see in the third column of Avast's scam-app list.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
Package names are how Android tells one app from another. Even better, package names are visible right in the URL, or web address, of each app's listing page on the Google Play Store.
So if you've found an app on your phone or Android tablet that you think may be on Avast's list, then open a new browser tab in a desktop browser and type (or copy-and-paste) this into the new tab's address bar:
https://play.google.com/store/apps/details?id=
Don't hit Return or Enter just yet.
Now go to the Avast list of scammy apps and copy-and-paste the app's package name onto the end of the text in the address bar.
For example, for the first app listed, Ultima Keyboard 3D Pro, the package name is "org.ultimatekey.board". Copy "org.ultimatekey.board" and put it at the end of "https://play.google.com/store/apps/details?id=" in your browser's address bar so that the full text string reads:
https://play.google.com/store/apps/details?id=org.ultimatekey.board
Now hit Enter or Return on your keyboard. If you get an error message saying "We're sorry, the requested URL was not found on this server," then that means that Google has removed the app from the Play Store, and you should remove the app from your device.
How to remove an app from an Android phone or tablet
Uninstalling an app on Android is pretty easy. You'll want to start with the Settings app, which should be listed among your installed apps. On many phones, it's also accessed by tapping the gear icon visible in the Quick Settings menu you get by swiping down from the top of the screen.
Once in Settings, then tap Apps or Apps & Notifications, then the specific app you want to uninstall. (On some devices, you'll have to tap a second time to see all installed apps.) On the App Info screen, you should see a button to Uninstall that app.
Do that and you'll get a pop-up asking you to confirm that you really do want to uninstall the app. Click OK and you're done.
How to avoid similar Android-app scams
Avast's report said each of these scam apps asks you upon its installation to enter your phone number, including the country code, and sometimes your email address as well, so that the app can "unlock" its stated functions.
If any app asks you for such information before it lets you use it, beware. Avast found 151 apps that were part of this campaign, but it's possible there are still others in the Google Play Store.
Many of the original batch can still be found in third-party app markets — we randomly picked three from Avast's list and found them right away on a widely used "off-road" store.
You'll also want to check the user reviews on each app. Avast's Vavra noted that many of these scam apps had one-star reviews from users who said the apps didn't work as advertised.
This method isn't foolproof — as we saw last week in a different Android malware campaign, some good scammers build apps that work just fine but infect your device anyhow.
Finally, you'll want to install and use one of the best Android antivirus apps. These apps, some of which are partly or entirely free, will scan your device for malicious apps. Android's built-in antivirus app, Google Play Protect, isn't quite up to handling the job on its own.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.