Millions of Android users are carrying potential security threats in their pockets — not from obscure, shadowy downloads, but from some of the most popular applications on the Google Play Store. Despite Google’s ongoing efforts to police its app marketplace, a growing body of evidence suggests that many widely downloaded apps engage in excessive data collection, display intrusive advertising, or worse, harbor outright malware. The question facing consumers is no longer whether to be cautious, but which familiar names on their home screens deserve a second look.
A detailed analysis published by MakeUseOf identifies several categories of Android apps that security researchers and privacy advocates have flagged repeatedly. The findings are not speculative; they draw on documented cases of data harvesting, undisclosed tracking, and deceptive practices that have affected hundreds of millions of users worldwide. For industry professionals and everyday consumers alike, the implications are significant.
Free Antivirus Apps: The Irony of False Protection
Among the most commonly flagged app categories are free antivirus and cleaner applications. Apps like Clean Master, once boasting hundreds of millions of downloads, have been repeatedly cited for collecting vast amounts of user data — browsing history, app usage patterns, and device information — far beyond what is necessary for their stated function. Cheetah Mobile, the developer behind Clean Master, was banned from the Google Play Store in 2020 after Google found evidence of ad fraud and deceptive practices, as reported by multiple outlets at the time.
The pattern extends beyond a single developer. Many free security apps request permissions that rival those of the operating system itself: access to contacts, call logs, SMS messages, location data, and storage. Independent testing by organizations like AV-TEST and AV-Comparatives has shown that a significant number of these free tools provide negligible actual protection against malware, while simultaneously serving as data collection pipelines. For most Android users, the built-in Google Play Protect service offers comparable or superior protection without the privacy trade-offs.
Weather and Flashlight Apps: Simple Tools With Hidden Agendas
Weather apps represent another category where the gap between user expectations and actual app behavior is striking. As MakeUseOf notes, many popular weather applications request access to data that has no connection to forecasting — including contact lists, phone call information, and the ability to read and send SMS messages. Weather Forecast, an app that accumulated millions of downloads, was found to be collecting and transmitting user data to servers in China, according to research cited in the report.
Flashlight apps tell a similar story. Modern Android phones have had built-in flashlight toggles for years, yet flashlight apps continue to attract millions of downloads. Security researchers have repeatedly demonstrated that many of these apps request an extraordinary number of permissions and embed aggressive advertising SDKs that track users across apps and websites. In some cases, flashlight apps have been caught installing background processes that persist even after the app is closed, consuming battery and bandwidth while transmitting device data to third-party ad networks.
Social Media and File-Sharing Giants Under Scrutiny
The conversation about problematic Android apps extends well beyond small, obscure developers. UC Browser, developed by a subsidiary of Alibaba and popular in many international markets, has been flagged by cybersecurity researchers for transmitting user search queries and browsing data without adequate encryption. The Indian government banned UC Browser along with dozens of other Chinese-developed apps in 2020, citing national security concerns.
SHAREit, the file-sharing app with over a billion downloads globally, has also drawn scrutiny. In early 2021, cybersecurity firm Trend Micro published research identifying multiple vulnerabilities in SHAREit that could be exploited to leak sensitive user data or execute arbitrary code. Despite the findings, the app remained available on the Play Store for an extended period. These are not theoretical risks; they represent documented security gaps in apps that sit on an enormous number of devices worldwide.
The Permissions Problem: What Users Are Actually Agreeing To
At the heart of the issue is Android’s permissions model. While Google has made meaningful improvements in recent Android versions — including one-time permissions, auto-reset for unused apps, and more granular controls — the fundamental challenge remains: most users do not read permission requests carefully, and many apps exploit this behavior. A 2023 study from the cybersecurity firm Kaspersky found that the average Android user has more than 60 apps installed, and a significant percentage of those apps request permissions that are not essential to their core functionality.
The problem is compounded by the practice of bundling third-party software development kits (SDKs) into apps. Even when an app developer has no malicious intent, the advertising and analytics SDKs embedded in their product may collect and share user data in ways that neither the developer nor the user fully understands. Research published by the International Computer Science Institute at UC Berkeley has shown that many popular apps share data with dozens of third-party domains, creating a web of data flows that is nearly impossible for consumers to track or control.
Google’s Enforcement Efforts and Their Limits
Google has taken steps to address these concerns. The company’s Data Safety section, introduced in 2022, requires developers to disclose what data their apps collect and how it is used. Google has also increased its use of automated scanning and human review to identify policy-violating apps before they reach users. In its annual transparency reports, Google has stated that it removed over 1.4 million policy-violating apps from the Play Store in 2022 alone.
Yet critics argue that enforcement remains reactive rather than proactive. Apps frequently accumulate millions of downloads before problematic behavior is identified and addressed. The sheer volume of the Play Store — with roughly 2.6 million apps available — makes comprehensive pre-publication review extraordinarily difficult. Security researchers at firms like ESET and Malwarebytes regularly publish lists of newly discovered malicious apps that had been available on the Play Store for weeks or months before being flagged.
What Industry Professionals Recommend
For enterprise IT departments and security-conscious individuals, the guidance from experts is consistent. First, audit the apps on your device regularly and remove anything you no longer use. Second, review the permissions granted to each remaining app and revoke any that are not clearly necessary for the app’s function. Third, favor apps from well-known developers with transparent privacy policies and a track record of responsible data handling.
Security professionals also recommend using Android’s built-in features wherever possible — the native flashlight, the default phone dialer, the stock camera app — rather than downloading third-party alternatives that may introduce unnecessary risk. For antivirus protection, Google Play Protect provides baseline scanning that is sufficient for most users, and those who want additional protection should choose a paid product from a reputable vendor like Bitdefender, Norton, or Kaspersky, rather than a free app of unknown provenance.
The Broader Stakes for Android’s App Economy
The persistence of problematic apps on the world’s most popular mobile platform raises questions that extend beyond individual device security. For app developers, the reputational damage caused by data scandals can be devastating. For Google, every high-profile incident involving a malicious Play Store app erodes consumer trust in the platform. And for regulators in the United States, the European Union, and elsewhere, the ongoing challenges with mobile app security are fueling calls for stricter oversight and mandatory security standards.
The European Union’s Digital Markets Act and the proposed American Data Privacy and Protection Act both contain provisions that could significantly alter how app stores operate and how developers handle user data. Whether these regulatory efforts will produce meaningful change remains to be seen, but the direction of travel is clear: the era of permissive, self-regulated app distribution is drawing to a close.
For now, the burden of protection falls largely on users themselves. The apps flagged by MakeUseOf and by independent security researchers are not hidden in dark corners of the internet. They are sitting on the Play Store’s front page, accumulating five-star reviews and hundreds of millions of downloads. The gap between an app’s popularity and its trustworthiness has never been wider — and closing that gap will require effort from every participant in the mobile software supply chain.