1. Stay away from warez.
If someone is going to crack an app to save a little money, they probably can’t be trusted not to add a little bit of extra code designed to line their own pockets. The more warez on the website the more you should be worried about your download. The Google and Amazon app stores really care about their reputations, so they typically go to some effort to remove malware as soon as they find it. Same goes for xda, but you should still expect some malware to sneak through, but the problem is really much worse with the alternative App stores that don't care so much for their user base.
2. Pay close attention to what is being downloaded.
Check the name and the extension of what you downloaded, if they are wrong, then it is probably something you don’t want to install.Example of fake download links:
An increasing number of file hosts are trying to “trick” users into downloading windows or Mac Installers that typically deliver adware to your computer. If it ends in .exe or .dmg but you are expecting .apk or .zip then you should probably stay away. Please note that All-In-One tool kits and some other things may actually come with .exe, so just use your common sense. Similarly, many malware engines won’t flag adware because it is something that you have “chosen” to install, so it is probably a good idea to be careful with anything that even 1 or 2 malware engines flag as adware. Many file hosts have started offering more than one download link. A real link, for what you want, and then some fake links that take you to ads or provide you with unwanted malware rather than the file you want. Using an adblocker will help reduce these fake links, but again, just make sure what you end up downloading is what you really want. Asking to install a download accelerator, download manager, or pretty much any kind of update to get the download to work are common ploys to get you to download and install something you really don't want.
3. Run a malware check on the download before installing it.
I prefer https://www.virustotal.com & http://sanddroid.xjtu.edu.cn/#home but there are plenty of other tools (see http://wiki.secmobi.com/tools:android_dynamic_analysis for a more thorough listing).Please feel free to post any tips or tricks you have for avoiding malware and I will see about adding them here.
Virustotal uses a number of anti-malware engines to scan your file for known malware. The more tools that return a positive match the more likely it is that you have downloaded malware. If you downloaded something that can root your phone then in all likelihood some scanners will flag it as malware and those can be considered as false positives. Please be aware that just because an app is rated as clean, doesn’t mean that it really isn’t malware. Maybe it hasn’t been identified as malware yet or maybe the sandbox didn’t activate the malware parts of the app.
false positives from Rooting App:
Sanddroid is just for checking apps and will run them in a sandbox and then tell you about the behavior of your app.
Please do not ask if something contains malware or not, if you are in doubt then don’t use install it, if it is something you found on xda and are worried about it, then report the post and a moderator will investigate it. The last thing we want is for people to accidentally green light something that is bad, it is your device so in the end it can only be up to you.