Written by Venkat Krishnapur
In today’s mobile-first world, there is a dedicated app for everything – may it be for tracking your heartbeat, to ordering food, to dating. Solutions to most of today’s problems are – “there’s an app for that”. Steadily enough, we are moving towards a culture of complete dependence on our smartphones. Statistics report that an average person has between 60-90 apps installed on their phone. In all of this, what goes unnoticed, are the dangers that hide behind a seemingly innocent looking app.
Fake it till you make it
In 2018, bogus Android apps of top banks were reportedly used by perpetrators to collect sensitive data like credit card account number, card expiration dates, and CVV through fake application forms. Out there, is an entire criminal ecosystem that thrives on fake apps. These counterfeit apps lurking on both the Android or iOS operating systems, impersonate the look and/or functionality of legitimate applications to dupe unsuspecting users into installing them with the objective of harvesting credentials, sensitive data, or installing malware.
Fake apps are essentially carriers of viruses or miners of information in disguise. Without the user’s knowledge, an innocent looking gaming application could be accessing contacts or tracking location in the background. Once installed, these perform a variety of illegitimate actions. Some are built to aggressively display advertisements to rake in ad revenue, others are designed to harvest credentials, intercept sensitive data or divert revenue.
Earlier this year, the bogus application ‘Update WhatsApp’, that looked identical to the official WhatsApp, flooded users with adverts and reportedly had over one million downloads before being taken off the app store. In another instance, fake Fortnite Android apps were notoriously distributed and downloaded, months before the original app was even launched. The sad reality remains that more than half of the users fail to distinguish between real and fakes. According to the McAfee Mobile Threat Report 2019, almost 65,000 new fake apps were detected in December 2018 alone, over six times the amount reported in June 2018.
Criminals use distinct strategies to build and deploy fake apps. These are either hosted on third-party app stores or circulated through social engineering campaigns. While Apple AppStore and Google Play are the two largest official app stores, alongside these native ones are bogus, third party app stores that host popular apps for cheaper prices and apps that can infect devices with malicious codes like ransomware and adware.
Occasionally, even official app stores are used to distribute fake apps, despite the security measures they implement. Using an official app store is ideal for fraudsters, as they do not have to invest in distribution of these apps and can function under the cover of legitimacy.
Banking on Trojans
As people embrace the convenience of mobile banking, stealing financial credentials from mobile devices is critically on the rise. Originating from the Greek legend’s Trojan horse, are the modern-day banking trojans.
A trojan disguises itself as a genuine app or software which once installed, positions itself to access banking details. After it has the login information it needs, it can relay the details back to the developers and grant them access to the bank account.
As these are a major source of revenue for cybercriminals, banking trojans continue to evolve and adapt to bypass security measures inside and outside official app stores.
Keep your guard up
Consumers must consciously avoid installing from third-party app stores and be cognizant towards signs of deception such as spelling errors in the description, lack of user reviews, sloppy user interface and design, even while downloading from official stores. As an added layer of security, install a mobile anti-malware application, that can detect malicious apps. While granting access to apps, ensure it only has the permissions it absolutely needs to function and turn off all permissions it shouldn’t need. While app stores struggle to identify and eliminate phony apps, vigilance on part of users will be the key line of defence.
End-users are not the only victims of bogus applications. Organisations can also suffer substantial financial and reputational damage when their mobile applications are cloned, and their brands associated with fraud. A common strategy used, is building a fake app for a popular brand that doesn’t have one of its own. Organisations must monitor official app stores and report any misuse of their brands.
Imitation being the best form of flattery, fake apps have only grown superior over the years. In a world where fakes continue to feign legitimacy, if you’re fortunate enough, a fake app may only damage your phone, but if you aren’t, it could potentially derail your life.
Venkat Krishnapur is the vice-president of engineering and managing director, McAfee India.