You're always better off getting apps from reputable stores like Google Play than you are from potentially dodgy, at best unknown, third-party sites. But even Google Play isn't immune from problems.
Mountain View periodically has to kick badly behaved apps out of its store, and last week saw one such expulsion. A number of apps afflicted with the Tizi backdoor were booted out. Tizi was able to root devices via old, known vulnerabilities. Google published a reminder of five steps your users can take to protect themselves against social engineering by potentially harmful apps:
- "Check permissions," and always be suspicious of apps that make unreasonable demands. There's no reason a flashlight, for example, should need to send SMS messages.
- "Enable a secure lock screen," with some factor (password, PIN, gesture, whatever your device accommodates) that's easy for you to remember but hard for others to guess.
- "Update your device." Patch. Note that Tizi took advantage of old bugs for which patches exist. If your system is up-to-date, it's a bit more secure.
- "Google Play Protect." If you're an Android user, Google Play Protect will help keep you safe.
- "Locate your device," that is, "practice finding" it. Losing your phone is the security misstep you're most likely to make. More at: