Google and Apple’s app stores both have a reputation for being pretty trustworthy these days. It’s easy to assume that if an app is in either the iPhone App Store or the Google Play Store, it’s safe to download. But a new Google crackdown this week reminds us that this isn’t so clear cut.Yesterday, a third-party security report revealed that Google had recently removed 224 malicious apps from the Android Play Store. Dubbed “SlopAds” apps by security company Human, which discovered the apps and wrote the report, these apps evaded Google’s usual security procedures and instead used a clever workaround to secretly install malware on users’ devices, even when downloaded straight from Google’s servers. The way these apps worked was that, if you downloaded them by searching for them through the Google Play Store, they would work as advertised with no malware dragging them down. Generally, these apps were pitched as simple utilities, or attempted to pass themselves off as more popular programs like ChatGPT, to try to trick users into downloading them. Not the best tools, certainly, but if accessed directly through Google, they wouldn’t hurt you.But the trick is that, if you downloaded one of these apps after arriving at the Play Store via one of SlopAds ad campaigns, it would also secretly download an encrypted configuration file that, after a few post-download checks, would install malware on your device.Once a device was infected, the app would then steal its information, and start using it to generate fake ad impressions on sites run by the scammers, maximizing profit.It was a clever way to get around Google’s regular review process, and a good reminder that, even as major companies try to make their app stores safe to use, you should still be vigilant while browsing them.How to avoid installing malware on your deviceWhile SlopAds has been thwarted for now, you should still take a few steps to keep your device safe while downloading new apps, especially since SlopAds isn’t alone in sneaking Malware onto the Play Store. Here are just a few ways to protect your device while browsing for new apps.Download your apps directly from the Play StoreAndroid is different from iOS in that it allows you to sideload apps onto your device. This can be convenient when working with smaller developers, who might not have the resources to get their programs on the Play Store. But downloading an app that hasn’t been verified by Google opens you up to extra risk. Always ensure you trust a developer and the specific APK file you’re using before sideloading an app. Google is currently working to block sideloading unless a developer is verified (which has been controversial, despite the extra security it gives you), although these changes aren’t set to hit most of the world until 2027.Find apps through the Play StoreAs SlopAds proves, navigating to an app through an outside source can flag it to download extra files to your device that you won’t get if you find the app through the Play Store’s own search functionality. Always be cautious about links to apps that you find on suspicious websites, and especially in ads. Using the Play Store to discover new apps instead could save you some headaches down the line, especially as Google’s search is less likely to send you to suspicious apps than it is popular apps that have been verified as safe by other users.Check user reviews and permissionsIf you scroll down before downloading an app through the Play Store, you’ll see which permissions an app needs to do its work on your phone, and you’ll also be able to read user reviews. This can be handy if there are known issues with an app, or the requested permissions seem to be a bit too generous for what the app claims to do. However, this isn’t a catch-all solution—SlopAds did its malicious behavior in the background without needing any sort of permissions, and depending on where a user downloaded a SlopAd app from, it might not have even installed malware on their device. It’s possible apps with good reviews could still have harmful software included on the sly.Turn on Google Play ProtectWhile SlopAds was able to bypass Google Play Protect, it’s still a good idea to turn it on if it isn’t enabled on your device already. This will scan an app for known malware before downloading it, giving you an extra layer of protection. It will also periodically scan apps already installed on your device. To ensure it’s turned on, open the Play Store, click your profile icon in the top right corner, and navigate to Play Protect > Settings. To scan sideloaded apps, you can also turn on the Improve harmful app detection setting, which is in the same spot.Run a Google Security CheckupFinally, you can run a Google Security Checkup on your device via a web browser. This will help you tighten your online security, encouraging you to take security steps like adding a recovery email or phone number to your Google account. It’ll also list recent security activity, and will generally ensure that, even if a malicious app steals your data, you’ll be able to lock it out of your account with the least issue possible.