November 30, 2021

    3 Tips to Spot Fake Retail Apps this Holiday Season

    The 2020 holiday shopping season was unique in a variety of ways, but perhaps most importantly, it illustrated the significant opportunity around m-commerce. In fact, 40% of the 2020 holiday shopping revenue came from mobile devices, an increase of $23 billion over the amount spent via mobile devices during the previous holiday season.

    And though the pandemic may have inspired more online and mobile shopping, this is a trend that won’t be going away anytime soon. It’s estimated that by 2024, global retail m-commerce sales will comprise nearly 70% of total retail e-commerce sales, the equivalent of approximately $4.5 trillion.

    But as is always the case, with great opportunity comes great risk. As you shop via mobile apps, how do you know your personal information will remain secure?

    Fake retail apps are especially problematic because they can capture sensitive personally identifiable information (PII) from shoppers, including names, credit card numbers, and addresses, among others. What’s worse, once malicious actors have access to a user’s mobile phone via a fake app, they can steal photos, passwords, location data, and more.

    Many of these fraudulent apps look a lot like their legitimate counterparts, which may make spotting them challenging to the untrained eye. App developers and publishers should be aware of the proliferation of fake apps to protect both their brands and their customers.

    Here are three tips to help you more effectively spot fake retail apps.

    1. Fake Retail Apps May Contain Suspicious Anomalies

    App copycats are becoming more sophisticated, leaning on automation to do a lot of the leg work. Interestingly, bot attacks accounted for 62% of fraudulent installs. While hackers are getting more clever in deceiving users, anomalies can help identify fakes. For example:

    • Reviews: The reviews in the official app store will either be far fewer than the official app, or will not be as in-depth as a real app store review. For example, a sudden flood of five-star ratings with no reviews or single-line reviews is suspicious.
    • Publisher Info: The app publisher’s name is often slightly different from the official company’s name (e.g. vs. Overstock, Inc.).
    • Publish Date: The publish date may be relatively recent for a fake app, while a real app will have been recently updated (versus just published).
    • Spelling or Grammatical Errors: Some fake apps may contain spelling or grammatical mistakes in the descriptions, which is a dead giveaway.

    2. Fake Apps May Use “Black Friday” in the Title

    Fraudsters know how to target shoppers looking for a deal, and will do anything to get to their wallets. As a result, it’s a good rule of thumb to assume specialty retail apps that promise discounts or use the name “Black Friday” directly in their title may be fake.

    Also worth noting is that an increasing number of fake apps are available outside traditional app stores, frequently distributed through third-party app stores or social engineering attacks. According to a report from RiskIQ, many threat actors are starting to avoid app stores, leading to an increase in blacklisted feral apps - apps that are out on the open web, not on any official or approved stores.

    3. Copycats May be Hiding on Official App Marketplaces

    Though there is an increase in feral apps, it doesn’t mean that app stores are in the clear. Though the official app stores hosted fewer blacklisted apps than they have before, the Google Play Store and Apple App Store still house their fair share of copycats.

    Some malware trojans that steal data within mobile banking or payment apps make their way onto users’ phones through seemingly legitimate flashlight or gaming apps on the major marketplaces. From there, the virus could infect apps that process sensitive payment data and steal this information.

    It’s easier to circumvent app store security than most people realize. Malware-ridden apps may bypass app stores’ security standards by masking suspicious activity through geofencing and other tactics. In fact, not too long ago, 30 million Android users were infected with malware as a result of malicious apps on the Google Play store. And Apple recently reported it rejected or removed more than one million malicious apps in 2020.

    Protect Your Retail Mobile Apps this Holiday Season

    Protecting your customers starts with providing them with legitimate mobile applications distributed via official app stores, since many will be seeking them out during busy retail seasons. Retailers that completely lack an official mobile app risk a situation where fake apps are staking out that unoccupied territory, and are being found by customers looking for that mobile experience. Developers should also regularly check app stores for fake apps, and report any abuses to Google or Apple.

    Finally, developers should provide an additional layer of protection for Android and iOS applications through code hardening and Runtime Application Self-Protection (RASP) to effectively protect mobile applications against cloning and tampering. App protection prevents tampering with applications (including adding malicious functionality and more), repackaging them, and distributing them. This added security can protect consumers from fraud, and preserve the brand’s reputation.


    Did you know the majority of retail apps lack
    basic security protections?

    Read the report >

    Other posts you might be interested in