Quick Answer: Compute the Downloaded File's Hash and Compare It Character-by-Character With the Official Value
After downloading the Binance APK from the official website, there's still one safety mechanism worth using — verifying the file's SHA256 hash. If your computed hash exactly matches Binance's published value, you're 100% sure the file hasn't been replaced, injected, or repackaged anywhere along the way. This is the most hardcore yet simplest anti-phishing, anti-trojan-bundling method. New users can sign up for Binance, then download the Binance App and follow this article to practice once.
Why APK Verification Is Worth 30 Seconds
Strong Verification Doesn't Exist Outside App Stores
Google Play and Galaxy Store both have internal signature checking, so apps from these stores are unlikely to be swapped out. But the official APK gets pulled directly to your local machine via the browser, and any router, CDN node, or ISP along the way can be an attack entry point. Hash verification adds an end-of-chain check.
Phishing Sites Can Be Visually Indistinguishable
Phishing site visual mimicry has gotten increasingly convincing — even SSL certificates can be obtained. But they can't fake a SHA256 that perfectly matches the official one — change one byte and the hash is completely different.
One Verification Takes Just Seconds
Running a hash on your own computer is faster than installing antivirus software. Learn it once, use it forever — the verification flow works for any APK, ISO, or DMG file.
What Is SHA256
SHA256 is a hash function that compresses any size of file into a fixed-length string (64 hexadecimal characters). Its key property is: change one bit of the original file, and the output hash becomes completely unrecognizable. Different files essentially can never produce the same hash (collision probability is extremely low in practice).
For example, a legitimate Binance APK's SHA256 looks like:
8a2f4b... (64 characters)
Anyone repackaging, adding ad SDKs, or changing icons will produce a hash that doesn't match the official one when re-computed.
Step 1: Get the Official Hash
Where to Find the Official Publication
- Open Binance's download page in your browser (mind the domain spelling).
- Near the APK download button there's usually a "verification info" or "SHA256" collapsible section.
- Copy the 64-character hash to a notepad.
Beware "the Phishing Site Also Provides a Hash"
If the APK itself is from a phishing site, the hash that site provides is also fake — matching it accomplishes nothing. So the prerequisite is: the APK link and the hash both come from the same site, and that site is genuinely official. You can use a second client (mobile 4G, another known-clean computer) to double-check the official domain.
Step 2: Compute the File's Hash Locally
Windows 11 / 10 With PowerShell
Press Win + X to open Windows Terminal, navigate to the APK's directory, and run:
Get-FileHash -Algorithm SHA256 .\binance.apk
After a second or two it outputs a Hash field; compare this string with the official hash. PowerShell outputs uppercase while the official may give lowercase — that's just a format difference, not a content difference.
Windows Command Line With certutil
If you don't want to use PowerShell:
certutil -hashfile binance.apk SHA256
The output includes a continuous 64-character line — that's the hash.
macOS With shasum
Open Terminal and navigate to the download directory:
shasum -a 256 binance.apk
The output looks like <hash> binance.apk — the first part is what to compare.
Linux With sha256sum
sha256sum binance.apk
Output format is similar to macOS.
Computing Directly on an Android Phone
If the APK is already on your phone and you can't easily reach a computer, install an open-source "Hash Droid" or "Hash Checker" type app (pick a high-rated one from a trusted store), then:
- Open the hash tool → select file.
- Find binance.apk in the download directory.
- Choose SHA256 as the algorithm.
- Tap start, wait a few seconds for the output.
Step 3: Compare Visually
Don't Eyeball It
Eyeballing 64 characters will miss differences. The right approach is to paste both the official hash and your computed hash into the same text box, align them, and check for an exact match.
Use a Tool for Auto-Comparison
Windows users can do:
"<official hash>" -eq (Get-FileHash -Algorithm SHA256 .\binance.apk).Hash
True means matching, False means mismatched.
macOS / Linux:
echo "<official hash> binance.apk" | shasum -a 256 -c
Shows OK or FAILED.
Step 4: What to Do If They Don't Match
Stop the Installation Immediately
A mismatched hash means the file has been tampered with or the download was corrupted; don't try to open it again. Move the file from the download directory to an isolated folder to avoid accidental clicks.
Investigate Possible Causes
- Re-download the official APK and verify again. If both attempts mismatch → the link is hijacked; switch network (4G/VPN/different ISP) and try again.
- Check the official domain spelling: many users typed a wrong letter and ended up on a fake site.
- Is the browser running an "accelerator" or "translation" extension? They sometimes modify download contents.
Report the Sample
If you're sure you got a tampered APK, report it to Binance customer support to help track the phishing site. Don't open it on an unsecured device.
Bonus: Signature Verification (Advanced)
SHA256 only verifies integrity, not the publisher directly. Going further, you can verify the APK's digital signature fingerprint.
Using keytool
The JDK's bundled keytool reads the signing certificate inside the APK:
keytool -printcert -jarfile binance.apk
The output includes a SHA256 fingerprint, which is the signing certificate's fingerprint (a different concept from the file's SHA256). Comparing this fingerprint with Binance's published signing fingerprint confirms the APK was signed with Binance's private key. Even if someone repackages the outer layer, the signature breaks or the fingerprint won't match.
apksigner
The Android SDK's apksigner can also verify:
apksigner verify --print-certs binance.apk
Output "Verifies" means the signature is valid. Combining the two checks makes forgery essentially impossible.
Common Questions
I Verified the APK and Got Disconnected During Install — Do I Re-Verify
No need. An interrupted install doesn't change the APK file; as long as the file is still in the download directory and the hash still matches, you can safely continue installation.
How Do I Verify a Version Already Installed on My Phone
If installed from the official site, you can ADB-pull the APK and compute its hash. An easier method is to verify the official site's latest APK with SHA256 and reinstall over your version — same version means the integrity is verified at the same time.
MD5 or SHA256
Choose SHA256. MD5 has been proven to have collision risk — attackers can theoretically construct a different file with the same MD5. SHA256 currently has no practical collision attacks.
Is a Matching Hash 100% Safe
A matching hash only proves the file is unaltered, provided the official hash you received is itself genuine. So domain checking and HTTPS certificate checking still can't be skipped. Both layers together make it complete.
Can I Hash on My Phone
Yes. Hash Droid and Hash Checker mentioned above support local hash computation, and don't require internet — they don't upload the APK to any server.
Summary
SHA256 verification is a habit many overlook but worth building. Download → Verify → Install in three steps reduces the chance of being tricked by a phishing version to nearly zero. Once you're proficient, the whole process takes under a minute, yet it guards the most critical gate to your assets.
Get Started Now
Ready to begin? Sign up for Binance now and enjoy exclusive trading fee discounts.
Or download the Binance app and manage your crypto on the go.