According to statistics, there are almost 6.6 billion smartphone users in the world – almost 83 percent of the total population of the Earth. The revolution in the world of mobile devices has led to the fact that the phone has lost its primary function of making calls and has become a tool for entertainment, study, business and much more.
All these functions are possible due to mobile applications available in specialized stores such as Apple Store or Google Play, as well as unofficial stores.
The popularity of mobile applications is increasing year by year. Over 218 billion downloads were made in 2020. App downloads are predicted to reach over 285 billion by the end of 2022.
The number of mobile apps in stores is also huge. About 100,000 apps for Google Play and 35,000 apps for Apple Store are released every month.
Naturally, information technologies used on such a massive scale attract many cyber fraudsters. Their target is data stored on phones, which can be both personal (photos, documents, bank card data) and work data. The leakage of such information can be extremely unpleasant for its owner.
Today, attackers can forget about using complex social engineering campaigns and other techniques to steal information. Everything is quite simple. You only need to create a fake application that will imitate the real one and perform malicious actions. Such programs are engaged not only in data theft. There are also many cryptocurrency mining apps, ad cheat apps, tracking apps, etc.
Apart from fake apps, there is another way to trick users. Fraudsters create a “legitimate” application that steals the necessary information behind the scenes and transfers it to their servers.
Yes, of course, Google Play and Apple Store engineers are not standing by watching what is happening. They are actively fighting such programs. All applications are checked in manual and automatic mode before publication and periodically after publication. But that’s not enough to keep all rogue apps at bay.
The main ways of creating fake applications
Imitation of popular programs
The more popular the app, the more fake versions will be created. When applying this method, emphasis is placed on human psychology. Many people want to follow the trends and have the most popular apps on their phones.
Fraudsters create clones of popular programs, but with additional “side” functions, such as intercepting entered text and bank card data, taking screenshots, etc. Visually, such applications do not differ from legal ones. They have the same icons, names, and even the manufacturer’s name may look like the real one.
Moreover, even an app store can be faked. For example, a few years ago, a fake copy of the Google Play store was discovered.
Attackers are not limited by super popular apps like WhatsApp and others. Cybercriminals follow trends and news. Cryptocurrencies are growing in popularity – and so you can find apps claiming to be popular cryptocurrency exchanges. COVID-19 appeared, and fake “disease-fighting” apps have not been slow to arrive. Major cultural or political events coming or happening are also reasons for the release of new fake programs.
Imitation of prohibited applications
It is no secret that in many countries, for various reasons (political, religious, ethical, etc.), specific applications are prohibited. Facebook is blocked in Russia, TikTok is blocked in India. Fraudsters fake a banned app and publish it on a store with a similar name and the assurance that it really works like the original. After TikTok was banned in India, the TikTok Pro app appeared very quickly. It was provided by another developer and had completely different functions.
Attackers rely on psychological factors. Many users want to have something that is known all over the world. They are ready to install applications from any source for this without being confused by security issues.
Applications can be installed not only from the official store, but from any site. You just need to download a file of a certain format and use it for installation. This method is available for Android and iOS phones. And here, the attackers have a lot of room for action. App stores regularly check the apps added to them, but site owners do not.
The need for “unofficial” downloads is driven by factors such as banning applications of specific categories (casino, pornography, etc.), marketing activity (“our application is ready to appear in the store, but it has not yet passed all the appropriate formalities, be the first to try it and win prizes”), and several others.
Hackers can also attack legitimate sites to replace safe applications with malicious ones or create fake copies of legitimate sites and upload dangerous programs there.
Threats from legitimate applications
Legitimate applications with illegitimate activity
Another way to trick users is to create a legitimate app that starts performing its unwanted activity after some time. The barcode scanner is a good example. It was initially positioned as a convenient application for scanning barcodes, and then suddenly started showing ads constantly.
Data breaches caused by mobile devices may not always occur due to the installation of a rogue program. Attackers can exploit vulnerabilities in official applications. So, due to a bug in the Facebook application code, the data of 50 million users was exposed.
The architecture of applications does not remain without the attention of criminals. Types of data storage, encryption algorithms, network security protocols — all of this is being used by hackers to harm users.
Top ways to protect yourself from fake apps
Each user of the mobile device is responsible for its safe use and can reduce the attack surface. It is not necessary to have advanced information security skills for this.
- First of all, it is necessary to remember the main rule: download applications only from official stores. Downloading applications or installation files from other sources is very dangerous.
- When you download an app from the official store, you should check the manufacturer, app rating, and number of installs. If in doubt, additional information can be provided by user reviews.
- To install the official mobile application, you can visit the store using the link on the manufacturer’s website. This way you won’t need to search for an app by its name and the risk of installing a fake app will be minimized.
- Another way to verify the legitimacy of the app is to contact its manufacturer and clarify any questions.
- You should avoid apps that are banned in your country. If you see such an app, 99.9 percent of the time, it’s a fake program.
- When installing new applications, it is necessary to check the required permissions. For example, the calculator does not need access to photos or contacts. In addition, it is essential to regularly review previously granted permissions.
- It is always good to delete unused apps. This will not only minimize security risks, but also clear the phone’s memory.
- Do not forget about the basic rules of cyber hygiene. A password must be set on the phone. Your phone should not be left unattended in public places as attackers may try to install apps without your knowledge.
- It is useful not to connect to unsecured public Wi-Fi networks. They can be monitored by intruders and the data transmitted between the phone and the server can be intercepted or modified.
- Do not forget to update the applications and operating system of the mobile device in time.
- Finally, it is recommended not to jailbreak or root your device.
Recommendations for application developers
- One of the first steps is to implement an information security management system. This will allow you to implement best practices to protect the development environment and the corporate network, reduce the likelihood that application source code will flow through different communication channels, etc.
- The next step should be to apply DevSecOps principles. This will minimize the number of errors and vulnerabilities in the design and development stages.
- App developers must constantly educate themselves and follow cyber threat trends and security best practices such as the Zero Trust concept.
- Before publishing an application to stores, it is recommended to conduct an independent security analysis.
Applications have entered our lives strongly and for a long time. And this applies not only to mobile programs, but also to applications for smart TVs and other devices. Fraud related to such software will evolve and take new directions. The fight against this type of crime must be done by all actors: developers, app store owners and, of course, users themselves.
Image credit: Morrowind / Shutterstock
Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis. Alex has strong malware removal skills. He is writing for numerous tech-related publications that share his security experience.