Complete Guide to Checking APK Files for Viruses on Android

Introduction / Why This Is Needed

APK files are installation packages for Android applications. Installing APKs from untrusted sources, such as third-party websites or file-sharing services, can lead to device infection with viruses, spyware, or trojans. These threats can steal personal data, display ads, or even damage the system. Verifying an APK before installation is an essential step to protect your device and privacy. In this guide, you will learn how to use available tools and methods to check any APK file for malicious code, minimizing risks.

Requirements and Preparation

Before you begin, ensure you have:

• An Android device running version 6.0 (Marshmallow) or higher. Most methods work on modern versions, including Android 14.
• The APK file you want to verify. It may have been downloaded from the internet or obtained by other means.
• Stable internet for using online services and updating antivirus databases.
• An antivirus app (recommended). Install one from Google Play, such as Malwarebytes, AVG, or Kaspersky, or use the built-in Google Play Protect (available on devices with Google Play Services).
• For static analysis (advanced level):
  • A computer with Java Runtime Environment (JRE) 8 or higher installed.
  • Tools: APKTool (for decompiling) and JADX (for viewing Java code). Download them from official sites: APKTool and JADX.
  • Basic knowledge of Android app structure and Java code (optional but helpful).

Step-by-Step Guide

Step 1: Scan with an Antivirus on Android

The simplest and fastest method is to use an antivirus app directly on the device.

1. Install an antivirus from Google Play (e.g., Malwarebytes). Avoid unknown antiviruses that might contain malware themselves.
2. Open the app and find the file scanning feature. In Malwarebytes, it's "Scan" → "File Scan"; in others, it might be called "On-demand Scan" or "Custom Scan."
3. Go to your file manager (use the built-in one or a third-party app like Solid Explorer) and locate your APK file, usually in the Downloads or Documents folder.
4. Select the file and start the scan. The antivirus will analyze the APK for known virus signatures and suspicious behavior.
5. After the scan completes, check the result. If it says "No threats detected" or similar, the file is considered safe. If threats are found, delete the APK and do not install it.

💡 Tip: Regularly update your antivirus databases through the app's settings. Some antiviruses, like AVG, have an automatic new file scanning feature—enable it for added protection.

Step 2: Online Check via VirusTotal

VirusTotal is a powerful free service that analyzes files with over 70 antivirus engines and other tools. It's ideal for a second opinion.

1. Open a browser on your computer or device and go to virustotal.com.
2. Create a free account using your email or a Google account. This is required to upload files.
3. After logging in, click the "Upload" button or drag and drop the APK file into the designated area on the homepage.
4. Wait for the analysis to complete. For files under 650 MB, this usually takes from 10 seconds to a few minutes. You can track progress in the "My Scans" section.
5. Review the report:
   • Detection ratio: e.g., "5/70" means 5 out of 70 antiviruses flagged the file as malicious. Even one detection can be concerning, especially from reputable engines.
   • Community comments: users sometimes leave notes about the file.
   • Behavioural analysis: if available, shows what the file does when executed (e.g., internet access, changing system settings).
6. If most engines (especially reputable ones like Kaspersky, McAfee) don't detect threats, the APK is likely safe. If detections are found, do not install and delete the file.

⚠️ Important: VirusTotal may have daily scan limits for free accounts. Large APKs (closer to 100 MB) may take longer to upload. Do not upload confidential files, as the service is public—analyses may be visible to others.

Step 3: Analyze Requested Permissions

Before installing an APK from an unknown source, Android will show a list of permissions the app requires. This list can be reviewed without installation.

1. When attempting to install the APK (via a file manager), a system window with permissions will appear. Read each item carefully.
2. Assess whether the permissions align with the app's functionality. For example:
   • A calculator or flashlight should not request access to contacts, SMS, or location.
   • A game may request internet for ads, but SMS access is suspicious.
   • Photo editing apps may need camera and gallery access, but not phone calls.
3. If permissions seem excessive or unrelated to the function, cancel the installation. Click "Cancel" or "No."
4. For already installed apps (if you're checking an APK after installation), use Android's built-in settings: Settings → Apps → select the app → Permissions. Here you can see and revoke unnecessary permissions, but it's better to prevent installing a suspicious APK.

💡 Tip: Some malicious APKs may request minimal permissions on first launch, then request additional ones via updates. Therefore, check permissions not only at installation but also periodically in settings.

Step 4: Static Analysis of the APK on a Computer

For technically proficient users: decompiling the APK and examining the code can reveal hidden threats not detected by antiviruses.

1. Install the necessary tools:
   • Java Runtime Environment (JRE): download from oracle.com and install. Ensure java is available in the command line (check with java -version).
   • APKTool: download the latest version for your OS (Windows, macOS, Linux) from the official site. For Windows, you'll also need git and python (as per APKTool instructions).
   • JADX: download from GitHub releases. This is a GUI application or CLI tool.
2. Decompile the APK using APKTool. Open a terminal (or command prompt) and run:

   apktool d your_app.apk -o decompiled_folder
   

   Where your_app.apk is the path to your file, and decompiled_folder is the output folder. APKTool will create a structure with resources and smali code (low-level Android bytecode).
3. Examine key files:
   • AndroidManifest.xml in the decompiled_folder. Open it in a text editor. Look for permissions (<uses-permission>), especially dangerous ones: RECEIVE_SMS, READ_SMS, WRITE_SETTINGS, INSTALL_PACKAGES. Also check components (<activity>, <service>, <receiver>) for suspicious names.
   • The smali/ folder contains code in smali instructions. Look for method calls related to data access: sendTextMessage (sending SMS), getDeviceId (device identifier), exec (executing commands).
4. For easier reading, use JADX. Launch JADX (GUI) and open the APK file. It converts bytecode into readable Java-like code. Look for:
   • Network requests to unknown domains (strings with http:// or https://).
   • Data encryption (classes like Cipher, SecretKey).
   • Downloading additional files (methods like openConnection, getInputStream).
5. If you find code that explicitly performs malicious actions (e.g., stealing contacts), delete the APK. Remember that sophisticated malware may obfuscate code, making analysis harder—in such cases, rely on automated scanners.

💡 Tip: Static analysis requires time and knowledge. Start with AndroidManifest.xml—major threats are often visible there. For complex APKs, use dynamic analysis in an isolated environment (emulator or sandbox), but that goes beyond this guide.

Step 5: Additional Tools and Services

Beyond the main methods, there are other options for comprehensive verification:

• Antiviruses with advanced features: some, like Bitdefender or McAfee, offer "Cloud Scan" or "Deep Analysis" options that send the file to a server for more thorough checking.
• Specialized online scanners:
  • Hybrid Analysis: requires registration, provides a detailed behavioral report (dynamic analysis). Supports APKs but has a more complex interface.
  • Any.Run: an interactive sandbox where you can run an APK in a virtual environment and observe its actions. Useful for investigation but requires caution—even in a sandbox, malicious code might try to escape.
• Permission analysis apps: "App Permissions" or "Permission Manager" from Google Play allow detailed inspection of which permissions an installed app uses. Although this is post-installation, it can help detect suspicious behavior.
• Community and reviews: search for the app name (if known) on forums like XDA Developers or Reddit. Users often share experiences about suspicious APKs. Also, check the file's SHA-256 hash on VirusTotal—if it's known, there may be comments there.

Combine several methods: on-device antivirus + VirusTotal + permission check provides high confidence. For critically important apps (e.g., banking apps), always use official sources.

Verifying the Result

After completing the steps, you should have a clear picture:

• Antivirus: no detections.
• VirusTotal or similar: low detection ratio (0/70 or at most 1-2 from unknown engines, but even that could be a false positive). Check details: if detections are from known antiviruses (Kaspersky, ESET)—that's serious.
• Permissions: all requested permissions logically align with the app's functionality (e.g., a messenger requests contacts and camera access).
• Static analysis (if performed): code contains no suspicious calls or hidden actions.

If all these criteria are met, the APK can be considered relatively safe for installation. However, remember: no method provides an absolute guarantee. Attackers constantly develop new techniques to evade detection. Therefore:

• Prefer Google Play: apps from the official store pass Google Play Protect's automated checks and rarely contain malware.
• Avoid unknown sources: if an app is available on Google Play, don't look for its APK elsewhere.
• Keep your OS and antivirus updated: this protects against new threats.

Potential Issues

You may encounter difficulties when verifying an APK:

• False positives: antiviruses sometimes incorrectly flag clean APKs, especially if they use non-standard libraries or packaging. Solution: check the file on multiple services (VirusTotal, online scanners). If most say "clean" but only one antivirus reacts—it's likely a false positive. You can submit the file to the antivirus vendor for clarification.
• Online service limits: free VirusTotal accounts have limits (e.g., 500 requests per month). Large APKs (over 100 MB) might fail to upload. Solution: use an on-device antivirus or reduce the APK size (if possible, remove unnecessary resources).
• Obfuscation and packing: many APKs, especially pirated or modified ones, use obfuscation (code scrambling) or packers (e.g., DexGuard). This makes static analysis nearly useless. Solution: in such cases, rely on dynamic analysis (running in a sandbox) or avoid installation.
• Delayed payload: malicious code may activate only after several days or under specific conditions (e.g., after receiving an SMS). This is hard to detect without prolonged monitoring. Solution: avoid APKs from unverified sources, even if initial checks pass.
• Android access issues: during scanning, the antivirus may request file access permission. Ensure you grant it in the device's security settings. If the antivirus can't see files, check if the APK is on an external SD card with restricted access.
• Outdated antivirus databases: if an antivirus hasn't been updated recently, it might miss new threats. Solution: configure automatic signature database updates.

If you detect a threat, immediately delete the APK and perform a full device scan. In the future, always verify APKs from unknown sources before installation.