Downloading apps outside the Play Store is normal — region-locked apps, older versions, and tools Google rejects all live on third-party stores. The problem is trust. In one well-documented case, a popular APK store shipped an advertising SDK with an embedded trojan dropper inside its own client app, capable of showing lock-screen ads, opening browser tabs, and pulling down more malware.

The one thing that actually proves an APK is safe

A green badge means nothing on its own. Two checks do the real work:

  • Signature pinning. Every legitimate Android app is cryptographically signed by its developer. If two versions of an app are signed by the same key, they came from the same author — and Android will refuse to install a tampered copy over a genuine one. A trustworthy store publishes the signer and pins it.
  • Independent malware scanning. Running the APK through a multi-engine scanner (e.g. VirusTotal) before it is ever served catches known droppers, spyware SDKs and repacked malware.

How to check an APK yourself

  1. Confirm the package name matches the real app (not a look-alike like com.app.free2).
  2. Check the signer/SHA-256 — a clean store shows it; you can verify with apksigner verify --print-certs.
  3. Upload the file to a multi-engine scanner and look for 0 detections.
  4. Never enable “Install unknown apps” for a random browser and leave it on.

Why we built PureApps differently

Every app on PureApps is first-party software we wrote and signed ourselves, scanned and signature-pinned before it ships. No cracked apps, no repacks, no surprise subscriptions, no watermarks. That is the entire point of the store — trust is the product, not an afterthought.