According to statistics, there are almost 4 billion smartphone users in the world – almost 50% of the world’s population. The revolution in the world of mobile devices has led to the phone losing its primary function of making calls and sending short messages, and has become a tool for entertainment, learning, doing business, and much more.
To realize these functions, mobile applications available in specialized stores, such as the Apple Store or Google Play, are used.
The popularity of mobile apps is growing year by year: from 2016 to 2020, the number of mobile app downloads per quarter more than doubled: from 20 billion to 36 billion. In total, there were more than 204 billion downloads in 2020.
The number of mobile applications in stores is also growing. According to statistics, every month about 100,000 apps are released for Google Play and 30,000 apps for the Apple Store.
Naturally, where information technology is used, and on such a massive scale, there are also many cybercriminals. Their target is information stored on phones, which can be both personal (photos, copies of documents, bank card data) and business information; a leak of such information can be extremely unpleasant for its owner. Attackers do not need to try to use social engineering and other techniques to steal information. Everything is much simpler: the only thing they need is for the user to download a fake app to their device, which will pretend to be a real app and perform malicious functions. However, such programs not only steal data, but also mine cryptocurrencies, scam advertising, etc.
There is another way: to create a legitimate application, which will also steal the necessary information and pass it to cybercriminals.
Of course, Google Play and the Apple Store do not stand idly by and actively combat such programs: apps are checked manually and automatically before they are published and periodically thereafter, but even this is not enough to weed out rogue apps one hundred percent.
Basic ways to counterfeit apps
Imitation of popular programs
The more popular an application is, the more fake versions of it will be created. When implementing this method, the emphasis is on human psychology. Many people want to be on trend and have the most popular apps on their phones. Scammers take advantage of that: they create clones of similar programs, but with “side” functions: intercepting text and bank card data, taking screenshots, etc. Visually, they do not differ much from legitimate ones: the same icons, names, and the name of the manufacturer can look like a real one, as the story of WhatsApp and its fake counterpart shows. Not only that, even the app stores themselves are being faked! For example, a fake copy of the Google Play store was discovered in 2014.
Figure 1: Fake Google Play Store process in Task Manager next to the genuine one
Figure 2: Fake copies of the WhatsApp app
That said, attackers are not limited to popular apps like WhatsApp and others. Cybercriminals are clearly following the trends of what’s going on in society. Cryptocurrencies are growing in popularity – and an app that pretends to be a well-known cryptocurrency exchange program appears. COVID-19 appeared – and fake apps to “fight the disease” didn’t wait long. Approaching or ongoing major sporting, cultural, political events are also occasions for the release of many fake apps.
Imitation banned apps
It is not a secret that in many countries some apps are banned for various reasons (religious, ethical etc.). We do not need to go far to find examples: the social network LinkedIn is blocked in Russia, and TikTok is blocked in India. Fraudsters fake a banned app and publish it in a store with a similar name and the assurance that it really works as the original. Thus, after TikTok was banned in India, the “TikTok Pro” app quickly appeared, but from a different manufacturer and with completely different functions.
Fig. 3. An SMS message with a link to the fake TikTok Pro
Cybercriminals rely on the same factor of human psychology, when a person wants to have on their phone what is popular around the world, and is ready to install applications from any source for the sake of this, without giving any thought to information security.
Applications can be installed not only from the store, but also from any website: just download a file in a certain format and use it to install it. This method is available for both Android and iOS phones. And here, a very large room for action opens up to attackers: while app stores regularly check the content placed there, the owners of the sites do not do this.
The need for such downloads is caused by such factors as the prohibition of certain categories of applications in accordance with the law (casinos, gambling, pornography, etc.), marketing activity (“our application is about to appear in the store, but has not yet gone through the appropriate formalities”) and some others.
Cybercriminals can also attack legitimate sites to spoof safe apps with malicious ones or create their own copies of those sites, putting dangerous programs there.
Threats from Legitimate Applications
Legitimate apps with illegitimate activity
Another way to trick the user into getting their data is to create a legitimate application, which will start performing its unwanted activity after a while. One example is Barcode Scanner, which was positioned for a long time as a handy barcode scanning application and then suddenly started displaying ads persistently.
Exploiting App Vulnerabilities
Data leakage from mobile devices may not always be due to the installation of a fake program. Attackers can exploit vulnerabilities in official apps. For example, a mistake in the code of a Facebook app could have led to the leak of data of 50 mln users.
Attackers also pay attention to the architecture of applications. Storage, encryption algorithms, data transfer protocols, etc. are investigated by hackers for their further use to harm users. > More than a million users downloaded a fake version of WhatsApp
The main ways to protect against fake apps
Each user of a mobile device is responsible for its safe use and has the power to reduce the attack surface on it. And for this, it is not even necessary to have developed skills in information technology or information security.
First of all, it is necessary to establish a basic rule: download applications only from official stores. Downloading applications or installation files from other sources creates a very high risk.
When downloading an app from an official store, you should check the manufacturer, the rating of the app and the number of installations. If in doubt, comments from users who have installed the app before can provide additional information.
To install an official mobile app, you can go to the store via a link from the manufacturer’s website of this program. Then you won’t need to search for the app by its name and the risk of installing a fake app will be minimized.
Another way to verify the legitimacy of an application is to contact its manufacturer and clarify your questions.
You should avoid applications that are known to be illegal in the country – with 99.9% probability it will be a fake program that will collect your personal data, for example.
For the installed application, you should control the requested accesses. For example, the calculator should not request access to the gallery or contacts. In addition to controlling the accesses granted during the installation of an app, you should regularly revise the accesses previously granted. It is also a good idea to remove unused apps. This will not only minimize the risks of information leakage, but also clean the phone memory.
You should not forget about the basic rules of cyber hygiene. Your phone should have a password installed, and it should not be left unattended in public places – then the attackers will have fewer opportunities to install applications without the knowledge of the owner of the gadget.
It is useful not to connect to Wi-Fi networks in public places: they can be hacked by criminals, and then the data transferred between the phone and the server can be intercepted or modified.
Do not forget to update applications and operating system of your mobile device in time – this will allow closing known vulnerabilities in time.
It is worth to install a separate anti-virus software, even if the phone has, for example, banking applications with anti-virus “on board”.
Finally, it is recommended not to carry out any manipulations with the phone that are forbidden by the manufacturer – for example, not to “root” it.
Recommendations for application developers
To ensure that the user is not harmed by the actions of a legitimate application, developers must also follow a number of rules.
One of the first steps should be the implementation of an information security management system at the application developer company. This will allow best practices to be implemented in order to protect the development environment and the corporate network, to reduce the probability of leakage of the application source code through various communication channels, etc.
Another step should be to implement the concept of secure SDL development. This will minimize bugs and vulnerabilities in the design and development phase of the application. The use of specialized tools, such as code scanners, is also necessary.
Awareness of application developers about current trends in cyberthreats should be constantly raised. Gartner forecasts, vendor and integrator reports, etc. can help.
Before publishing an application to the stores, it is recommended to perform an independent security analysis. External expertise can help identify new threats.
Applications should be updated regularly, not only to add custom features, but also to patch the program as information becomes available about vulnerabilities in the program and how those vulnerabilities are exploited.
If the application’s installation file is hosted on a web site rather than in the store, it should be regularly checked for illegitimate modifications. > Attackers forced a copy of Google Play to steal data from South Korea
Apps have entered our lives seriously and for a long time. And this applies not only to mobile apps, but also apps for smart TVs and other gadgets. Fraud associated with such “software” will develop and acquire new directions. The fight against this type of criminality should be waged by all actors: developers, app store owners and, of course, users themselves. It is joint efforts that will help minimize the risk of counterfeiting, followed by loss of user data and money.