Attack of the Clones: Preventing Fake Mobile App Proliferation

Somewhere in the world, you might have an evil twin that steals money, abuses the innocent, and brings shame to your name. But while most ordinary citizens don’t have to worry about this seemingly far-fetched dilemma, the “evil twin” problem is an increasingly common issue for mobile application developers. Recent headlines show how cloned apps are being widely used to spread malware, perpetrate fraud, steal private information, and even generate ad revenue for cybercriminals.

Without proper protections in place, the process of creating a fake mobile application is much less involved than printing counterfeit paper currency or manufacturing an ersatz Rolex watch. And the potential for criminal exploitation reaches far wider than hand-to-hand transactions. Attackers don’t even need to steal user credentials if they can convincingly impersonate a legitimate application with a cloned version.

Faking it: Reverse engineering, modding, and repackaging

For both iOS and Android applications, piracy typically starts with reverse engineering. A legitimate mobile application is first decompiled (reversing the compiled binary into human-readable code) in order to analyze it – including its security features. An attacker can then extract sensitive information or IP from the app or SDK, such as proprietary algorithms, secrets, and keys. A malicious actor can also make sophisticated code modifications.

Modding or tampering involves techniques like patching to change a mobile app and dynamically alter its behavior. One outcome could be creating a version of the app with bypassed restrictions. For example, in a mobile gaming app, the goal may be to unlock resources (such as unlimited lives or weapons). For other types of applications, the goal is often to access paid features or premium content. Another common modding technique is code injection to insert malicious content (i.e., malware) or to bypass mobile app security features, such as adding backdoors or altering how the app communicates with backend systems.

The final step in the process is repackaging the modified clone version of an app for distribution, typically aiming for one of two different malicious outcomes:

• The user willingly downloads or sideloads the cloned app in order to unlock premium content for free or to bypass advertisements – as was the case with the YouTube Vanced malware attacks.
• The user unintentionally installs a corrupted mobile app in response to sophisticated social engineering, as seen in several recent phishing attacks.

In both cases, once the user installs the corrupted clone app, it can lead to credential theft and other security issues.

Stopping your mobile app “clone war” before it starts

Defending mobile applications against “evil twin” app impersonation requires a robust, multi-layered solution that can prevent reverse engineering and tampering. An effective software protection scheme starts with a compiler-based solution that integrates encryption and code obfuscation, which help prevent IP theft. Obfuscation techniques scramble the code in different ways, making it difficult for the reverse engineer attacker to understand how the app functions.

The addition of runtime application self-protection (RASP) can dynamically monitor the app’s behavior in real time and detect tampering, modding, or jailbreak attempts. Anti-debugging capabilities can respond to an attack by terminating the app or restricting its functionality. RASP also ensures that each new build of the app has a unique set of security checks injected into different places within the code, making it much harder for a cloning threat actor to expand upon or apply any knowledge gained from previous attack attempts on newer app versions. This is a key advantage that a compiler-based approach offers over single-layer wrapper-based solutions.

This kind of multi-layered mobile app security ensures that protections are constantly evolving, which provides resilience by “resetting the clock” on malicious actors. When an attacker is forced to continuously adapt to new configurations, it frustrates their ability to understand anything useful about your application.

How Guardsquare can help

Guardsquare provides comprehensive mobile application security across all stages of the software development lifecycle (SDLC) through products like DexGuard and iXGuard. Many of our customers specifically chose Guardsquare to help them address problems associated with app impersonation.

• A top commercial and real estate bank faced a variety of risks (financial losses, regulatory fines, brand damage) due to cloned and modified apps that enabled things like credential theft, transaction fraud, and account take-overs.
• An advanced AI tool provider discovered a doppelganger app that was using their patented IP to steal private customer information.
• A video software company struggled with malicious actors copying their code and distributing an unauthorized (and unstable) free version of their app.
• Developers of a popular religious lifestyle app were losing revenue to a modified clone that let users bypass their paywall and access premium features for free.

Want to learn more? Contact us today.