Android - How to know if a side-loaded app is safe?

It is difficult to know whether an APK is safe or not. Your best bet is to download from trusted or reputable sources (like Google Play, Amazon, etc).

Some (trusted) developers also provide an MD5 (or other message-digest algorithm) hash of their APKs. After your download the APK, you verify if the APK has the same hash. If it does, then it's safe to say it hasn't been tampered with.

You can also check the permissions required by the APK / app, and use common sense (or your own judgement / instinct) to tell if it's safe to install or not.

BOTTOMLINE: Always install from trusted sources. Stay away from pirated APKs; it's possible they may have malware.


Google introduced an option Verify apps (Disallow or warn before installation of apps that may cause harm) for side-loaded apps when unknown sources is enabled (both settings available in Settings -> Security -> device-administration).

You can also use an online virus scanner like Virus Total to check your downloaded .apk file.

But this is the same with every scanner service: They're not 100% sure and probably only detect already known malicious apps. Custom tailored malware will probably remain undetected. Also very new malicious apps will probably slip through until after some time they will be detected.


If you are downloading the .apk files from unknown/untrusted sources, there's no easy way to judge. Most Anti-Whatever solutions (anti-virus, anti-malware, etc.) are just ruling by "database entries" (i.e. they have a database of known malware, and check whether the package name matches), or only check requested permissions (and not whether e.g. a SMS app only sends the SMSs you wish). I've never heard about a "real" heuristics scanner analyzing an app's behaviour.

Though it might theoretically be possible a "scanner" also verifies a kind of checksum (as the mentioned MD5), this could only work against a "trusted base" like e.g. Playstore. For apps not available there it would fail then (nothing to compare). And even for apps available there, it would need to check against the very same version. Such a solution is hardly practical.

So while my arguments might differ, my bottom line is almost the same as geff's: Only install from trusted sources. While nothing is 100% secure, this imposes the smallest risks possible. The highest risk is with pirated stuff, as that's very likely to have "bad things" injected.