Our cyber security researchers have seen a recent increase in scammers copying legitimate smartphone applications but injecting them with malicious code to spy on users and steal personal data. Sometimes these apps market themselves as an augmented version of the original app, offering extra features. Other apps take a more malicious approach and masquerade as the genuine app with the goal of tricking users into thinking it’s the real thing.
This opens everyday users up to a variety of threats. If taken in by one of these scam apps then they could have personal data stolen or worse, become a victim of financial fraud.
How do scam apps get on your phone?
Scammers can distribute fake apps in a number of ways, they can be listed on third-party app stores, sent to the victim in a text/email or even found hiding in the official app stores themselves. Mobile devices are a scammers perfect target, as they contain reams of personal information, go everywhere with their users and mobile malware can be tricky to find or protect against.
To create these fake apps, scammers will reverse engineer or copy real apps then inject their malicious code and distribute it to as many potential victims as possible.
Google claims to review all apps and all developers, however, we know that there are some malicious apps slipping through the net and appearing in the Google Play Store. These apps can pose as anything from antivirus apps, browsers or games. Similarly, while Apple only allows fully vetted applications on their App Store, the Washington Post reported last year that of the top grossing 1000 apps, 2% were scams that conned users out of $48million in their tenure on the App Store. What’s more, Apple takes a cut of all app revenue of up to 30%, meaning that they could have profited directly from these scam apps while they were live on their App Store.
Once a scam app is live, criminals can lead people to these fake apps using phishing campaigns. For example, they could use emails or text messages that appear to be from your bank or another trusted brand, with a link to download the apps that will then mine your device for information. These phishing attacks could also take the form of a fake security or software update.
Real examples of scam apps
One example for iOS is TikTok++ which is a tweaked version of the TikTok app. On the face of it, this offers some great additional features compared to the official app, including the ability to download all videos, remove TikTok ads and spoof follower numbers and heart stats.
Unfortunately, where there are benefits there must also be a cost, the developers of these apps have not made them purely for charitable reasons. Whilst TikTok ads are removed in TikTok++, these are replaced by intrusive full screen ads, which often contain false information designed to trick the app user into taking an action, such as visiting a link or downloading another app. One example stated “50 viruses detected on your iPhone” which we know was untrue.
We went on to analyze the app’s internet traffic and identified links to URLs and IP addresses that had been flagged by several virus detection engines as being associated with malware.
Another example for Android is a malicious version of the BAWAG banking app. BAWAG is a prominent financial institution in Austria. This app is a little different as this time it is masquerading as the legitimate version of the real app.
When first downloaded, the app asks the user for “accessibility services” permission to the device. These permissions allow the app to read the screen and mimic user interaction. In this instance, once the permissions have been granted the app backgrounds itself. If the user tries to uninstall the app, it interrupts and closes the uninstall dialogues. Attempting to open the app again also fails—nothing happens.
Every android app has a manifest file containing a list of permissions, activities, and services that an app provides. If a service is not in the manifest it cannot be launched by the app. This particular app’s manifest asks for a wide range of permissions, including the ability to read and send SMS messages, installation and deletion of packages, read contacts, initiate calls, and request the aforementioned accessibility service. This would give the app permission to propagate itself using the infected device. This app is what is known as an android dropper, an app that hides its code and true activities making it incredibly difficult to find and eradicate.
How to spot and protect against scam apps
While on first glance, some of these apps may seem harmless; they are all dangerous. They may obtain access to everything on your phone, allowing them to steal your data, access your communication history and photos, track your location and charge money to your accounts.
It is therefore crucial for your security and safety that you know how to recognize and avoid these apps. To help you stay aware and stay safe, we have put together some advice below:
Avoid third-party app stores
Don’t download apps from an unofficial third-party app store. While apps from alternative stores can be tempting if they offer additional features or paid content for free, they can often contain malware which puts your device and data at risk.
Only download apps from the official app stores
Where possible, download your apps from the official Google or Apple app stores. While scam apps can sometimes still appear on these stores, apps available here are subjected to a much more rigorous approval process and therefore it is more likely that scam apps will be caught and banned.
Don’t open any app download links sent to you via email/SMS
A common way scammers distribute malicious apps to unsuspecting victims is by sending a direct download link to a scam app via email or SMS. They will often pretend to be from your bank, credit card company, or other familiar brands to trick you into installing the app on your device. If you receive a message asking you to install or update an app, proceed with caution.
Check the store listing for mistakes
Look out for spelling mistakes – typos and grammar mistakes are a big red flag, app developers will usually be very careful and conscientious with their product. If it looks rushed it may well be a scam. Also check the app icon and screenshots – scam apps will often try to mimic the branding of the real app but will often fall short. Look closely for low quality or distorted images.
Read the reviews before downloading
Check the reviews of an app you are thinking of downloading – be wary of any with frequent bad reviews and heed any warnings. Apps with a lot of 5 star reviews and 1 star reviews without much in between can be a sign that the developer has paid for good reviews to cover up the bad ones.
Check the app release date and version history
Google’s Play Store and Apple’s App Store both allow you to view the release date and version history of an app and this can be another good way to spot a scam. A very recently released app with a high number of downloads can be a reason to be wary. Most genuine apps with a high number of downloads have usually been available for a while and its release date and version history should reflect this.
Scan your phone for hidden scam apps
If a scam app is installed on your phone then there may be some obvious signs, but certain types lurk in the background and silently leak your data to a third-party. In order to ensure protection of your mobile device, we recommend regularly checking it for malicious apps and other threats. Certo AntiSpy (iOS) and Certo Mobile Security (Android) can quickly spot and remove malware from your phone, keeping your information safe and secure.