The widespread usage and integration of mobile devices and applications into all spheres of society has helped establish fake apps among today’s biggest cybersecurity threats. According to the McAfee Mobile Threat Report 2019, nearly 65,000 new fake apps were detected in December of last year alone— over 6 times the amount reported in June 2018. Just days into the year, Google had reportedly already taken down 36 fake Android security apps from the Google Play Store.
The cases reported in 2019 so far, such as the adware fake apps with over 8 million downloads worldwide on Google Play, suggest fake apps will remain a top mobile security concern for the rest of the year. Among the key mobile threats of 2019 are fake apps tricking users into installing malicious apps, through baiting tactics such as phishing. The proliferation of adware fake apps and financial trojans (malware) posing as apps, is set to amplify with the growing number of bogus versions of popular apps on Google Play but not only – as fake iOS apps also gain popularity.
In this blog, we explain what fake apps are, how they are distributed and how brands can better protect themselves against this growing threat.
Fake mobile apps are Android or iOS applications that mimic the look and/or functionality of legitimate applications to trick unsuspecting users to install them. Once downloaded and installed, the applications perform a variety of malicious actions. Some fake applications are built to aggressively display advertisements to rake in ad revenue, other apps are designed to harvest credentials, intercept sensitive data, divert revenue or infect devices. More than half of users cannot distinguish between real and fake apps, according to a recent Avast survey in 2018.
In one case, an application posing as a game used the computing power of the devices on which it was installed to mine a cryptocurrency. In 2017, fake apps received a lot of attention in the days leading up to Black Friday. Security researchers of RiskIQfound that 1 in 25 Black Friday apps were fake. The fraudulent applications leveraged the popularity of top e-commerce brands to harvest credit card information and personal details.
Another case that made headlines in 2017 was the fake WhatsApp application, ‘Update WhatsApp’. The bogus application looked identical to the official WhatsApp, but flooded users with adverts. The fake WhatsApp application reportedly had over 1 million downloads before being taken off Google Play.
And more recently, in 2018, fake Fortnite android apps were notoriously circulating – and downloaded – months before the original app was even launched in August. With nearly 250 million players around the world, Fornite is the most popular game in the world, as well as among the most targeted by cybercriminals.
Given the goal, cybercriminals can use different strategies for building and deploying fake applications. A common strategy is that of building a fake app for a popular brand that doesn’t have an application of its own. A case in point is the fake MyEtherWallet.com app that managed to rise to the third spot in the Finance category of the App Store.
Another and more disconcerting strategy consists in cloning existing apps and adding malicious code. Unprotected mobile applications can be reverse engineered in just minutes. Once an attacker has access to the source code of an application, he can tamper with and repackage it. The cloned application looks exactly like the original and has the same functionality, but also performs malicious activities. A good example of this is the clone of the Facebook Lite application of March 2017, designed to infect devices with malware.
Fake apps can be distributed in multiple ways. They are hosted on third-party app stores or circulated through social engineering campaigns. Even official app stores are used to distribute fake apps, despite the security measures they have implemented. In October 2017, The Economist reported that half of the 50 top-selling apps in Google Play are fakes. Using an official app store is ideal for cybercriminals, as they do not have to invest in the distribution of the applications and can operate under the cover of legitimacy.
The BankBot case is a good case illustrating the vulnerability of official app stores. BankBot is the name of a family of banking trojans targeting the applications of major financial institutions such as Wells Fargo and Citibank. The trojan is designed to steal user login details. Google removed various infected applications from the Play Store following the trojan's discovery in December 2016. However, the malware made it back into the store, as researchers found it hiding in a game in September 2017. Two months later it was also found in applications posing as trustworthy flashlight apps, as well as piggybacking on a smartphone cleaning app.
Another banking trojan, in 2018, performed malicious phishing via “please confirm” or “payment” email campaigns, an estimated 500,000 times around the world. According to MacAfee, upon clicking on the message the banking malware reportedly could bypass the email protection system and infect the recipient's device. Avast has also reported on multiple banking Trojans disguised as apps.
Downloading a fake app can have severe consequences for the end-user. For that reason, end-users should avoid downloading from third-party app stores and be attentive to apparent signs of fraud (spelling mistakes in the description, a lack of user reviews, sloppy interface design, etc.) when downloading from an official store. But end-users are not the only victims of fake applications. Organizations can suffer substantial financial and reputational damage when their mobile applications are cloned and their brands associated with fraud.
To protect their brand, enterprises can take the following measures: