Malicious APK Sideloading Scams

APK sideloading refers to installing an Android application package (APK file) directly onto a device without going through an official app store. This capability exists for legitimate reasons — developers testing apps, enterprise deployments, and access to apps not available in certain regions. Fraudsters exploit it to deliver malicious applications that would be rejected by official store review processes.

Malicious APK sideloading scams typically involve deceiving the target into enabling the installation of apps from unknown sources and then installing a file sent via SMS, email, messaging app, or downloaded from a fake website. The installed app may appear to be a legitimate utility — a bank's 'security app', a government service app, a parcel tracking tool, or a popular entertainment app — while secretly running malicious code in the background.

The malicious code can take many forms: a remote access trojan that gives the attacker full control of the device; a banking overlay that displays a fake banking interface on top of genuine banking apps to capture credentials; an SMS interceptor that forwards all incoming messages (including one-time codes) to the attacker; or spyware that silently captures calls, messages, location, and camera images.

Android is specifically targeted for this attack because its architecture allows installation from outside official stores. iPhones can also be targeted via enterprise certificate abuse or direct device access, though the attack surface is substantially narrower.

The attack typically begins with a convincing pretext for why the app cannot be installed through the normal store. Common pretexts include: a bank telling you their 'enhanced security app' must be installed from a link they send you; a customer service agent claiming the official app has a bug and providing a 'fixed version'; a message impersonating a delivery company providing a 'tracking app'; or a social engineering campaign directing victims to a website that mimics an official app store.

The target is guided through enabling installation from unknown sources in their device settings — a step that Android warns about but which can be explained away by a persuasive caller or convincing instructions. The APK is then downloaded and installed.

Once running, the malicious app requests permissions that legitimate apps of its claimed type would not need: accessibility services, device administrator rights, permission to read and send SMS, overlay permission (to draw over other apps), or contacts and call log access. If granted — and instructions may be provided for how to grant them — the attacker has extensive capabilities.

In banking overlay attacks, the malware detects when a genuine banking app is opened and displays a pixel-perfect fake login screen on top of it. The victim enters their credentials into the fake overlay, which transmits them to the attacker while showing the genuine app underneath after a brief delay.

In remote access variants, the attacker can observe the screen, interact with apps, make transactions, and read messages in real time.

The attack succeeds because it exploits the authority of a trusted source — often the target's own bank or an expected delivery service — to instruct a behaviour that the device itself warns against. When a caller who sounds like bank security tells you to install their security app, the device's warning about 'unknown sources' is reframed as a routine technical step rather than a danger sign.

Permission requests for accessibility services, overlays, and SMS access have legitimate uses, meaning they are available on consumer devices. Most users do not scrutinise permission requests carefully or understand their implications. Granting these permissions to a malicious app hands over a level of device access that is extremely difficult to detect and contain.

Android's openness, while valuable for legitimate use cases, creates an attack surface that does not exist on more closed platforms.

A person receives a call from someone claiming to be from their bank's fraud team. The caller warns that suspicious transactions have been detected and that the person should install the bank's 'SecureVerify' app to receive real-time transaction alerts. The caller sends a link via SMS. The person enables unknown sources installation as instructed, installs the app, and grants the permissions it requests including accessibility services and overlay permission. Over the following days, the attacker uses the malware to observe banking sessions and capture credentials, resulting in unauthorised transfers from their account.

Your bank account has been flagged for unusual activity. Install our SecureAlert app immediately to protect it: [link]

Your parcel is ready for delivery. Install the tracking app to choose your delivery slot: [link to APK]

Download the latest [popular app] with premium features unlocked — free: [fake site link]

Important: your banking app has a critical update that can only be installed from this secure link: [link]

Your bank, any government agency, or any legitimate service will never ask you to install an app from a link they send you via SMS, email, or phone call. Official apps are published on official stores and can be found by searching for the institution's name directly in the store.

If anyone — by any communication channel — instructs you to enable unknown sources installation or to install an app from outside the store, treat this as a strong indicator of fraud and end the interaction. Contact the institution using the official number on their website or on the back of your card to verify whether the request was genuine.

Review the permissions any new app requests before granting them. A parcel tracking app does not need accessibility service access. A bank app installed from an official store does not need permission to draw over other apps.