Google’s Play Protect scanner identified more than 27 million new malicious apps from outside Google Play in 2025 and blocked 266 million risky install attempts across its user base. Independent researchers see the same flood from the other side: AV-TEST registers over 450,000 new malicious programs every day across all platforms, and a share of those show up in APK files that look completely ordinary until the install prompt is already on screen.

None of that means every APK you download is dangerous. It means a five-minute check before you tap Install catches almost everything a casual glance misses. Most people who get burned by a malicious APK never compared it against the developer’s real signature, saw a “0 detections” VirusTotal scan and stopped looking any further, or waved through a permission list because the install screen never pauses to explain what any of it means.

Where you download the file from matters before you ever open a scanner. Some sources verify signatures automatically and disclose who runs them; others do neither. Our audit of which APK sites we trust breaks that down site by site, so start there if you have not already picked a source. The steps below apply to the file itself, no matter where it came from.

Quick Comparison: APK Malware Scanning Methods

MethodWhat It CatchesCostSpeedBest For
VirusTotal scan (our pick) Known malware signatures across 70+ engines Free Under 2 minutes Every APK, before you open it
Google Play Protect Behavioral and runtime threats after install Free, built-in Automatic, ongoing Continuous protection post-install
Signature / SHA-256 check Tampering, repackaging, cloned apps Free About 1 minute Confirming a file matches the original
Manual permission review Scope creep and unrelated access requests Free About 2 minutes Catching apps that ask for more than they need
Third-party mobile antivirus Real-time scanning plus web/link protection Free or paid tier Continuous Frequent sideloaders who want a standing safety net

Before You Install: Scan the File Itself

  1. Upload the APK to VirusTotal. Go to VirusTotal, choose the file tab, and upload the APK before you open it. VirusTotal runs the file past more than 70 antivirus and blocklisting engines at once and returns a combined detection count within a minute or two. A result of zero or one flagged engine is a strong signal the file is clean; five or more is a confirmed problem, and anything in between is worth a second look at which engines flagged it and why.

  2. Verify the signature or hash against the original. If the developer publishes a SHA-256 hash, compare it directly against the file you downloaded. Otherwise, run apksigner verify --print-certs app.apk from the Android SDK build-tools to inspect the signing certificate. Repackaging an APK breaks its original signature, so a mismatch here means the file has been altered since the developer signed it, even if VirusTotal came back clean.

Check What the App Is Asking For

  1. Read the permission list before you commit. The install prompt and the app’s store listing both show what the APK wants access to. A flashlight app requesting contacts, or a calculator requesting SMS and camera access, has no legitimate reason to ask for either. Permission scope is one of the clearest signals you get before the app is even on your phone, so do not skip past it to get to the install button.

  2. Watch the install screen itself for tampering signs. Confirm the app icon shown on the install prompt actually matches the real app, not a generic Android icon or an unrelated image. Compare the file size against the official version where you can find one; a popular app that normally runs 60MB showing up as 20MB has likely had code stripped out or swapped in. Check that a developer name and contact page are listed and match the real publisher, not a vague or misspelled variant.

After You Install: Let Android Keep Checking

  1. Run a manual Play Protect scan right after install. Open the Play Store app, tap your profile icon, select Play Protect, and tap Scan. Play Protect checks apps from any source, not only Google Play, and can send an app it has not seen before to Google for a deeper code-level evaluation. It is reactive rather than preventive, so it is meant to run alongside the checks above, not replace them.

  2. Re-check permissions after installing, and again after updates. Open Settings > Apps > [app name] > Permissions and revoke anything the app does not need to function. Check back after major updates too, since a later version can quietly request broader access than the one you originally approved. This is the step most people skip entirely, and it is where a lot of sideloaded malware actually does its damage once the file itself passed every earlier check.

Challenges With Catching Malware in an APK File

Every method above has a real limitation, and knowing them keeps you from trusting a single green checkmark too much.

  • Zero-day malware beats every engine at once. Brand-new or custom-built malware is designed to slip past known-signature scanners, so a “0 detections” VirusTotal result only proves nothing recognizable was found yet, not that the file is guaranteed clean.
  • Modded APKs break the one check that matters most. Decompiling and rebuilding an app to unlock paid features also strips the developer’s original signature, which removes your ability to verify the file against anything trustworthy.
  • Permission reviews only catch obvious mismatches. A messaging app legitimately needs contacts and SMS access, which gives malware disguised as a messaging app cover that a flashlight app clone would never get.
  • Play Protect only sees what reaches the device. Because it evaluates apps after installation, anything designed to stay dormant until a specific trigger can pass an early scan and activate later.
  • File size and icon checks need a real baseline. Without an official version to compare against, an unusual file size or a slightly off icon is a clue, not proof, and newer or lesser-known apps rarely have an easy baseline to check against at all.

How to Put a No-Malware Check Into Practice

Treat the six steps above as one routine, not a checklist you only run when a file feels suspicious. Scan first, verify the signature second, read permissions third, install, scan again with Play Protect, then revisit permissions after any update. In that order, each step catches something the one before it misses.

Decide in advance which permissions actually make sense for the category of app you are installing, so a mismatch jumps out immediately instead of after something goes wrong. Keep a VirusTotal tab and the apksigner tool within easy reach; once the sequence becomes automatic, the whole process takes under five minutes per file.

None of this replaces choosing a reliable source in the first place. Pair this routine with our full safe-install checklist for the permission settings, trusted sources, and Android version specifics that sit around these same six steps.

Frequently Asked Questions (FAQs)

How do I check if an APK file is safe before installing it?

Upload it to VirusTotal for a multi-engine scan, then compare its signature or SHA-256 hash against the value the developer publishes. Review the permissions it requests once installed, and leave Google Play Protect running so it keeps checking the app after the file itself has passed.

Does VirusTotal catch all APK malware?

No. VirusTotal is a strong first filter because it runs a file past more than 70 antivirus engines at once, but brand-new or custom-built malware can still show zero detections until the engines catch up. Treat a clean scan as a good sign, not a guarantee, and pair it with a signature check and a permission review.

Is Google Play Protect enough to catch a malicious APK on its own?

On its own, no. Play Protect is reactive: it evaluates apps after they are on the device rather than before you download them, so it works best as the last layer after a VirusTotal scan and a signature check, not as the only check you run.

What permissions should make me suspicious of an app?

Any permission that has nothing to do with what the app claims to do. A flashlight app asking for contacts or SMS access, or a calculator requesting camera and microphone permissions, are both classic signs the app is doing more than it says.

Can a modded or cracked APK ever be safe?

Treat it as unsafe by default. Modding an APK means decompiling and rebuilding it, which breaks the original developer’s signature and strips out the security protections that signature was there to guarantee, so there is no reliable way to verify what else changed in the process.