We all know there are viruses and malware designed to steal our data from our phones. But a lot of us don’t care because well, Google and Apple must be taking care of them. This is why we download any app from the store – what’s the maximum that will happen? We won’t like it? So what, we will uninstall it later.
The official app stores won’t be having fake apps, right? Fake apps reside only in third party stores have, right?
Let’s take a look at a press release by McAfee. It said that about 65,000 new apps were found to be fake in December 2018. These apps were from various app stores. This is more than six times the number reported in June 2018. In January 2019, Google has already removed 36 fake security apps from the Google Play Store.
Here’s a list of all the apps removed and the indicators of compromise associated with them.
Fake apps can give attackers almost complete access to your phone. It’s important to accurately detect a threat and act in a timely way so advanced attacks on phones and tablets can be prevented.
What Exactly are Fake Apps?
There are apps that don’t quite perform the services they advertise. They use names that sound legitimate so people are fooled into downloading them.
Some might offer services that aren’t available anywhere else (such as remote spying abilities) so users would feel compelled to download them.
Once you have installed them on your device, they can do a lot of harm. They can throw ads on your screen, track your location, install malware, or use your account to subscribe to paid services without your consent.
This can harm your data, privacy, device, and other resources. To gain more interest from users, cyber criminals want their fake apps to be as attractive as possible. This is why some might even come with unrealistic claims like the ability to hack into someone’s Facebook or Instagram account.
A number of cyber criminals target Google Play because of the app distribution model it follows. Since the Play Store is open to anyone who poses as a developer, it is vulnerable to cyber-attacks.
To wreak havoc on people’s devices, all a cybercriminal has to do is register themselves as a developer. Once that’s done, they can download a legit app and inject malicious code into it. Now they can re-upload it on the Play Store. Simple as that. No need to develop new and creative apps.
And Google Play Store is supposed to be secure. Imagine the apps that are on third party stores – they are festering with malicious and pirated apps.
As an example, let’s look at the case of a fake app.
In November 2017, a new type of the BankBot Trojan was discovered in the Google Play Store. This malware hid in solitaire and flashlight apps.
Once a user downloaded it, it targeted banking apps on the device and created fake overlays on real banking apps. This helped the malware steal bank usernames and passwords.
The malware targeted big names such as Wells Fargo, Citibank, HSBC, Chase, ING, and many others. While there are strict security measures taken by these apps, the lure of targeting millions of people was more than the fear of getting caught.
Cybercriminals are able to target users because people don’t realize there are fake apps. According to a recent survey by Avast, more than 50% of users cannot tell if an app is fake.
An experiment was held in 2017 with the help of ABC News in which they tried to show that people don’t realize that some apps can be fake.
Planned by cybersecurity expert, James Lyne, this experiment included five users who were given Android phones and they were asked to use them in a regular way. The phones already had a malicious app called Lovely Wallpaper on it. Using that app, Lyne hacked into the phones and none of the participants knew about it.
Lyne could remotely read the text conversations they had with others. He could also access the phone’s camera to activate it and take a photo of the participant without them noticing. He could also track their locations at all times.
During this experiment, all participants logged into at least one social media account. And Lyne was able to gain access to all those usernames and passwords.
This experiment showed that just by installing a fake app, you give all rights to a hacker and they can see everything that you do on your phone.
As evident from this experiment, a strong password isn’t enough to protect your device from hackers. You need to be very careful about what you download.
Have you heard about Agent Smith?
If you’ve watched, The Matrix, you know he’s the antagonist to Neo. In the cyber world, it’s just another malware campaign that’s made to infect mobile devices. It gets distributed through innocent looking apps such as photo editors and games.
While it was more prominently distributed through third party stores, traces were found on Google Play Store as well.
It notes down all the legit apps a user has on their phone and then replaces them with similar looking fake apps. It uses those apps to show ads and to make money for the hacker.
While this doesn’t sound dangerous, this is just the beginning. Researchers think this malware might also be working to get banking and financial information of the user.
How do Hackers Typically Steal Our Mobile Data
Hackers generally trick people into downloading and installing malicious or repackaged apps that can help hackers get control over their phones.
These apps can either send the data directly to the hackers or make way for them to sniff on the network and carry out MITM attacks.
Of course, physical access to the device makes this even easier. If a user does not download a malicious app, the hacker’s plans won’t be successful. So fraudsters want to have physical access to the phone to install the malware directly to it.
To keep your devices protected, you need two things – a strong password and on-device encryption. There are still many people who protect their phones using a 4-digit PIN.
Even if you have facial recognition on your phone, what’s the backup method to gain access to it? Is it a 4-digit PIN? With a 4-digit password with a limited character set (all numbers), the phone is not really secure.
Coming to device encryption, most iOS devices are encrypted and secure. On Android devices, you’ll need to enable it yourself.
If you have a strong password and an encrypted phone, does that mean you are completely protected? If not, what other methods do hackers have to gain control of others’ devices?
Some other ways for hackers to gain access to your device are using vulnerabilities in the operating system and using a compromised Wi-Fi.
For example, in 2015, a vulnerability was discovered in Google Chrome on Android that can be used to compromise any handset.
Categories of Fake and Potentially Harmful Apps
There are two main categories of fake apps:
The first type is the imitator. These are the apps that have similar names and features as genuine apps. The second type is the imposter. These apps have the same name, version numbers, and icons. Sometimes imposters are developed by repacking the genuine app’s apk files.
These apps pose a risk to the user’s phone and also ruin the reputation of original app developers. These fake apps are often found on third party stores and are downloaded by people who mistake them for real ones.
The cost of developing a fake app is much lower than the cost of developing a genuine app, which is why many developers are attracted to this unethical path.
Fake apps perform some functions that make them harmful to your device. According to Google, these are the categories of harmful apps:
Backdoor: An app that lets the hacker remotely access your device and carry out operations without your knowledge. These operations can be deleting some apps or installing other apps on your phone.
Billing fraud: An app that increases your mobile phone bill. It can do that by sending premium SMS messages, making calls to premium numbers, or by purchasing content using your mobile phone bill or mobile airtime transfer.
Commercial spyware: It’s an app that sends your phone activities to third parties without your consent. These apps can read your text messages and spy on your calls.
Denial of Service: Your phone will become a part of a DDoS attack without your knowledge. As you might already know, in a DDoS attack, several devices send requests to a remote server to overload it and to shut it down.
Hostile downloaders: These apps don’t propagate malware on their own but download other harmful applications on your device. These apps are downloaded without user information or consent.
Non-Android Threat: These apps have potential malware that can affect other operating systems. While they are safe for your Android phone, they can affect your other devices.
Phishing: An app that is supposedly from a trustworthy source but sends user credentials to third parties. These credentials can include usernames and passwords for banking apps.
Privilege escalation: Apps that gain more privileges than allowed by the Android system. It breaks the app sandbox and escalates its privileges. It can also steal user details from other apps.
Ransomware: These apps will encrypt data on your device and will ask for a specific amount to decrypt it. So your photos, videos, and other files will be locked until you pay something to the hacker. This payment is generally accepted in cryptocurrencies.
Rooting: There are several rooting apps on Android but a harmful rooting app is the one that doesn’t ask for user consent before doing so.
Spam: If you install this app, it will send messages or emails to users in your contact list.
Spyware: These apps will send user data to third parties. This data can include text messages, call recordings, call logs, contact lists, emails, photos, and other things.
Trojan: An app that seems like a regular app but performs some other hidden activities as well. For example, you might download an app that looks like a regular game but it also steals your data and sends it to others in the background.
Uncommon: Some apps are potentially harmful but fall outside all these categories. These are considered uncommon by Google.
When Google Play detects these categories, it shows appropriate warning messages to users. However, Google security isn’t 100% foolproof. There are several security gaps in their Play Store.
Apps Pair Up to Steal Your Data
It’s like plotting a heist with someone else. Instead of breaking into a bank single handedly, you team up with someone with the same intentions.
Similarly, there are apps that can pair up to steal your data. When a single app steals data and sends it to third parties, it can be caught by the Play Store guards. But when one app steals data and the other one passes it to third parties, it becomes very difficult to find out. It’s a perfect crime.
A research paper by the Department of Computer Science, Southern Illinois University and Department of Computer Science, Virginia Tech. found thousands of apps that paired together to leak data.
The researchers created a system that understands how apps exchange information with each other on the same phone. This system is called DIALDroid and it checks if any sensitive information is being passed from one app to another.
These data leaks from one app to another are not intentional. And it’s difficult to find out when they take place. But since some information can be leaked from one app to another, it’s important to find it and stop it from being abused.
According to the study, the location of the phone is the most common information that is leaked. DIALDroid simulates the working of two apps to see how they would interact with each other to see if they can potentially team up to steal user information.
Security Gaps Created by Play Store Defections
In 2018, game maker Epic offered their game Fortnite outside the Google Play Store. This was done to save on the 30% cut they had to pay to Google.
However, they decided to offer the game on iOS as there was no other way to offer it to iPhone users. Since Android has a more open platform, Epic decided to bypass the Play Store and offer the game directly through its website.
While bypassing Play Store might save money for the game developers, this move can change the usage habits of loyal Google Play Store users. If other companies follow the footsteps of Epic, users might start using third party app stores more than ever.
As expected, security experts did not like this move by Epic. But we might see more game studios following this technique to save their money. And once users start looking for these apps from other sources, hackers will have open grounds to meddle with users’ phones.
Other play stores don’t have the resources to verify the identity of an app. Google employs several techniques to ensure the genuineness of an app. And even Google isn’t infallible as several malicious apps make way to the Google Play Store.
Google has Play Protect to check apps on the Play Store before they are downloaded. It also sends you notifications if it finds a potentially harmful app on your device.
And yet, malicious apps find ways to slip in and get downloaded by millions of people before being noticed by Google. In 2017, a fake Whatsapp app was discovered on the Play Store and it had already been downloaded by over a million users by then.
While the Google Play Store is safer than third party play stores, it is not 100% secure. Users need to be very careful while downloading apps, even from the official play store.
The Game You Enjoy Might Be Stealing Your Data
According to a study done by the Ponemon Institute, about 84% of security experts are most concerned about mobile malware. There are several infected gaming apps on various Android app stores.
For example, in 2016, the widely popular game, Pokemon Go, was targeted by malware makers. It was infected with a malware called DroidJack and was present in third party app stores.
And that’s not all, there was an app called Guide for Pokemon Go that wsas downloaded by more than 500,000 users. It was infected by malware that rooted the phone, allowing hackers to control it remotely.
There are several fake gaming apps that are created by shady developers and they ask for a number of permissions that fall out of the scope of the game. Did you verify the genuineness of the game you last downloaded? It could easily be infected.
Actions taken by Google and Microsoft
Microsoft Store and Google Play deleted several apps from their stores recently.
Google deleted a number of beauty camera apps that posed as regular photo editing and beautifying tools but actually showed pornographic content. And sometimes they sent users to phishing websites.
Microsoft Store got rid of cryptojacking apps including Clean Master, FastTube, and others. When users installed them, they triggered cryptomining scripts, using up device resources.
While iOS is considered the safest platform, there are infected apps that find a way through the watchful eyes of the Apple security guys.
In 2015, Apple removed 300 malicious apps from its app stores. All mobile operating systems are vigilant and get rid of malicious apps as soon as they are discovered. Problem is, by the time they are discovered, these apps have already infected millions of devices.
How can you stay safe from such fake apps that pose as something else but secretly infect your device or steal your data?
Fake apps can do a lot of harm to any device. It can send data remotely to a third party or use the device to carry out a DDoS attack on a server.
As an end-user, you should avoid downloading apps from third party stores. Always use the official play store apps. While there are several fake apps in the official play store as well, they are still safer than third party stores that are practically loaded with fake apps.
Even when you download from the official play store, always check the credentials of the app. Read its description and watch out for spelling mistakes. Don’t download apps without any user reviews. Take the interface design into consideration. If it is too sloppy, it just might be a faker.
Also, keep your device encrypted so even if there are any fake apps installed, they’re unable to steal your data. Use a VPN so a hacker is unable to carry out an MITM attack.
Keep in mind that end-users aren’t the only ones suffering from fake apps. When a fake app causes some damage, the developers of real apps suffer reputational damage as well. As the news spreads, people start avoiding genuine apps as well.
If you’re an entrepreneur trying to protect the reputation of your brand, here are some steps you can take.
Offer apps through official app stores: Bypassing the official store will save you some money but it can lead to users downloading fake apps and this can ruin your reputation.
Watch out for fake apps: Check the App Store and Google Play Store regularly and find out if there are any imitators or imposters of your apps. If you find one, report it to the platform.
Use RASP and code hardening: Runtime Application Self Protection (RASP) is a way to detect and block attacks on an app in runtime. Using this technology, an app monitors its own behavior so any attack is quickly diagnosed.
Stay Cautious and Stay Safe
There have been several cases of fake apps this year. For example, in January 2019, there were 9 fake apps on the Google Play Store that amounted to over 8 million installs. Fake apps are certainly one of the top concerns for security experts.
You don’t have to fall victim to malicious apps. Just keep a lookout for any apps that seem fishy. And if you find one, report to the Play Store or App Store.
Have you ever spotted a fake app? Tell us more in the comment section below