The year 2017 has been marked by a growing number of stories about fake mobile applications. There is no reason to believe that this trend will reverse in 2018. Just a few days into the new year, Google removed 36 fake Android security apps from the Google Play Store.
Since fake apps are a major cybersecurity threat, we take some time to explain what fake apps are, how they are distributed and how brands can protect themselves from the negative impact of fake applications.
What are fake apps?
Fake mobile apps are Android or iOS applications that mimic the look and/or functionality of legitimate applications to trick unsuspecting users to install them. Once downloaded and installed, the applications perform a variety of malicious actions. Some fake applications are built to aggressively display advertisements to rake in ad revenue, other apps are designed to harvest credentials, intercept sensitive data, divert revenue or infect devices. In one reported case, an application masquerading as a game used the computing power of the devices on which it was installed to mine a cryptocurrency.
Fake apps received a lot of attention in the days leading up to Black Friday. Security researchers of RiskIQ found that 1 in 25 Black Friday apps were fake. The fraudulent applications leveraged the popularity of top e-commerce brands to harvest credit card information and personal details.
Another case that gained notoriety in 2017 was the fake WhatsApp application, ‘Update WhatsApp’. The bogus application looked identical to the official WhatsApp app but flooded the user with adverts. It was downloaded more than a million times before it was removed from the Google Play Store.
Building or cloning
Depending on their goals, cybercriminals use different strategies for building and deploying fake applications. A much-used strategy is to build a fake application for a popular brand that doesn’t have an application of its own. A case in point is the fake MyEtherWallet.com app that managed to rise to the third spot in the Finance category of the App Store.
Another and more disconcerting strategy consists in cloning existing applications and adding malicious code. Unprotected mobile applications can be reverse engineered in just minutes. Once an attacker has access to the source code of an application, he can tamper with it and repackage it. The cloned application looks exactly like the original one and has the same functionality, but also performs malicious activities. A good example is the clone of the Facebook Lite application that was discovered in March. The application was designed to infect devices with malware.
How are fake apps distributed?
Fake apps can be distributed in various ways. They are hosted on third-party app stores or circulated through social engineering campaigns. Even official app stores are used to distribute fake apps despite the security measures they have implemented. In October 2017, The Economist reported that half of the 50 top-selling apps in Google Play had fakes. Using an official app store is very effective for cybercriminals: they do not have to invest in the distribution of the applications and can operate under the cover of legitimacy.
The BankBot case is a good illustration of the vulnerability of official app stores. BankBot is the name of a family of banking trojans targeting the applications of major financial institutions such as Wells Fargo and Citibank. The trojan is designed to steal user login details. Google removed various infected applications from the Play Store after the trojan was discovered in December 2016. But the malware made it back into the store. In September 2017, researchers found it hiding in a game. In November 2017, it was discovered in applications posing as trustworthy flashlight apps. It was also found piggybacking on a smartphone cleaning app.
Protecting brands in a mobile-first world
Downloading a fake application can have severe consequences for the end-user. For that reason, end-users should avoid downloading from third-party app stores and be attentive to apparent signs of fraud (spelling mistakes in the description, a lack of user reviews, sloppy interface design, etc.) when downloading from an official store. But end-users are not the only victims of fake applications. Organizations can suffer substantial financial and reputational damage when their mobile applications are cloned and their brands associated with fraud.
To protect their brand, organizations can take the following measures.
- Provide legitimate mobile applications. In a mobile-first world, users will look for mobile applications associated with their favorite brands. Giving users easy access to legitimate applications through official app stores reduces the risk of them downloading fake applications.
- Regularly check the Google Play Store and the App Store. Organizations can monitor the official app stores and report any abuse of their brands to reduce the negative impact of fake apps.
- Protect Android and iOS applications. Code hardening and runtime applications self-protection (RASP) effectively prevent mobile applications from being cloned and tampered with.
Guardsquare will be at the Fintech Summit in Dubai taking place on 30th October 2018. To learn more about Guardsquare, please click here.