How to avoid becoming a victim of malicious mobile apps
According to statistics, there are almost 6,6 billion smartphone users in the world -- nearly 83 percent of the total population of the Earth. The revolution in the world of mobile devices has led to the fact that the phone has lost its primary function of making calls and has become a tool for entertainment, study, business, and much more.
All these functions are possible due to mobile apps available in specialized stores such as the Apple Store or Google Play as well as unofficial stores.
The popularity of mobile applications is growing from year to year. Over 218 billion downloads were made in 2020. It is predicted app downloads will go over 285 billion by the end of 2022.
Naturally, information technologies used on such a massive scale attract many cyber fraudsters. Their target is data stored on phones, which can be both personal (photos, documents, bank card data) and work data. Leakage of such information can be extremely unpleasant for its owner.
Today, attackers may forget about using complex social engineering campaigns and other techniques to steal information. Everything is quite simple. You only need to create a fake application that will impersonate the real one and perform malicious actions. Such programs are engaged not only in data theft. There are also plenty of cryptocurrency mining apps, ad fraud apps, tracking apps, etc.
Besides fake apps, there is another way to fool users. Fraudsters create a "legitimate" application that steals the necessary information behind the scenes and transfers it to their servers.
Yes, sure, Google Play and the Apple Store engineers do not stay looking indifferently at what is happening. They are actively fighting such programs. All applications are checked in manual and automatic modes before publication and periodically after publication. But this is not enough to keep all fraudulent applications at bay.
The main ways of creating fake apps
Imitation of popular programs
The more popular the application is, the more fake versions will be created. When implementing this method, the emphasis is made on human psychology. Many people want to follow trends and have the most popular apps on their phones.
Scammers create clones of popular programs but with additional "side" functions like interception of the entered text and bank card data, taking screenshots, etc. Visually, such apps do not differ from legitimate ones. They have the same icons, names, and even the name of the manufacturer may look like the real one.
Moreover, even an app store can be faked. For example, several years, a fake copy of the Google Play store was discovered.
Attackers are not limited by super popular applications such as WhatsApp and others. Cybercriminals follow the trends and news. The popularity of cryptocurrencies is growing - and so you can find applications that pretend to be well-known cryptocurrency exchanges. COVID-19 appeared, and fake "disease-fighting" apps have not been long in coming. Major cultural or political events that are coming up or taking place are also reasons for releasing new fake programs.
Imitation of prohibited applications
It is no secret that in many countries, for various reasons (political, religious, ethical, etc.), specific applications are prohibited. Facebook is blocked in Russia, TikTok is blocked in India. Fraudsters fake a banned app and publish it in a store with a similar name and the assurance that it really works like the original one. After TikTok was banned in India, the TikTok Pro application appeared very quickly. It was offered by a different developer and had completely different functions.
Attackers rely on psychological factors. Many users want to have something that is popular all over the world. They are ready to install applications from any source for this, without being puzzled by security issues.
Applications can be installed not only from the official store but from any site. You just need to download a file of a particular format and use it for installation. This method is available for both Android and iOS phones. And here, attackers have a lot of room for action. App stores regularly check apps added to them, but the site owners do not do this.
The need for "unofficial" downloads is driven by such factors as the prohibition of applications of specific categories (casino, pornography, etc.), marketing activity ("our application is about to appear in the store, but has not yet passed all appropriate formalities, be the first one to test it and win prizes"), and some others.
Hackers can also attack legitimate sites in order to replace safe applications with malicious ones or create fake copies of legitimate sites and upload dangerous programs there.
Threats from legitimate applications
Legitimate applications with illegitimate activity
Another way to trick users is to create a legitimate application that starts performing its unwanted activity after some time. Barcode Scanner is a good example. It was initially positioned as a convenient application for scanning barcodes, and then suddenly began to persistently display ads.
Data breaches caused by mobile devices may not always occur due to installing a fake program. Attackers can exploit vulnerabilities in official applications. So, due to an error in the Facebook application code, the data of 50 million users was leaked.
The architecture of applications does not remain without the attention of malefactors. Data storage types, encryption algorithms, network security protocols -- all this is being used by hackers to harm users.
The main ways to protect against fake applications
Each mobile device user is responsible for its safe use and can reduce the attack surface. It is not necessary to have advanced information security skills for this.
- First of all, it is necessary to remember the main rule: download applications only from official stores. Downloading apps or installation files from other sources is very risky.
- When downloading an app from the official store, you need to check the manufacturer, the app rating, and the number of installs. If in doubt, additional information can be provided by user comments.
- To install the official mobile application, you can visit the store using the link on the manufacturer’s website. This way you will not need to search for an application by its name, and the risk of installing a fake app will be minimized.
- Another way to verify the legitimacy of the application is to contact its manufacturer and clarify any questions.
- You should avoid applications that are prohibited in your country. If you spot such an app, in 99.9 percent of cases, it is a fake program.
- When you install new apps, it is necessary to control the requested permissions. For example, the calculator does not need access to photos or contacts. In addition, it is essential to revise the previously granted permissions regularly.
- It is always good to delete unused applications. This will not only minimize the security risks but also clear the phone's memory.
- Do not forget about basic cyber hygiene rules. A password must be set on the phone. Your phone must not be left unattended in public places as attackers may try to install applications without your knowledge.
- It is helpful not to connect to unprotected public Wi-Fi networks. They can be monitored by intruders and the data transmitted between the phone and the server can be intercepted or modified.
- Do not forget to update applications and the mobile device's operating system on time.
- Finally, it is recommended not to "jailbreak" or "root" your device.
Recommendations for app developers
- One of the first steps is to implement an information security management system. This will allow you to implement best practices to protect the development environment and corporate network, reduce the likelihood of application source code being leaked through various communication channels, etc.
- Another step should be to implement DevSecOps principles. This will minimize the number of errors and vulnerabilities at the design and development stages.
- Application developers should be continually educated and follow cyber threat trends and security best practices like the Zero Trust concept.
- Before publishing an application in stores, it is recommended to conduct an independent security analysis.
Apps have entered our life firmly and for a long time. And this applies not only to mobile programs but also applications for smart TVs and other gadgets. Fraud associated with such software will develop and acquire new directions. The fight against this type of crime must be conducted by all actors: developers, owners of app stores and, of course, the users themselves.
Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis. Alex has strong malware removal skills. He is writing for numerous tech-related publications sharing his security experience.