Smishing-to-Sideload Attack
A technique that uses SMS phishing to direct victims to install a malicious app outside of the official app store, bypassing standard security reviews.
Also known as: APK sideloading scam, malicious APK delivery, SMS sideload attack
Last reviewed: 10 June 2026
Official app stores (Google Play, Apple App Store) apply review processes that catch many malicious apps. To bypass this, attackers use SMS or messaging-app phishing to direct victims to a URL hosting an APK (Android) or mobile configuration profile (iOS) that installs a malicious app directly. The message often impersonates a bank, government service, or utility company, claiming the official app is needed for a time-sensitive process.
The sideloaded app may request excessive permissions (contacts, SMS, screen access) and function as spyware, a banking trojan, or a remote-access tool. Android devices are most commonly targeted because sideloading requires only a settings change, while iOS sideloading is more complex but possible via enterprise certificates or configuration profiles.
Never install an app from a link sent via text message. Always download apps from official app stores and verify that the publisher name matches the genuine organisation.
Examples
- A text from a fake utility company asks customers to install an 'account management app' via a link; the app is a banking trojan that overlays legitimate banking apps.
- An iOS configuration profile delivered via SMS installs a rogue MDM that grants the attacker control over the device.