Security researchers caution Android users when downloading apps for shopping, games, and Santa video chats as they found hundreds of malicious apps likely leveraging the season to defraud unwitting victims. A scan of thousands of apps revealed seven with malicious routines such as replacing the legitimate apps with a version downloaded from a command and control (C&C) server. They also found 35 apps containing adware with more invasive behaviors than standard in-app advertisements, and 165 apps enabling “excessive or dangerous combinations of permissions,” such as camera, microphone, contacts and text messages. Researchers from Barracuda Networks recommend that users examine the apps they download to their phones, especially as online shopping and banking are expected to reach new heights this year.
Invasive adware were reportedly related to DIY gift projects and used suspicious ad networks by displaying catchy deals and coupons. Cybercriminals can go after banking, email, and access credentials by replacing legitimate website forms, or by using malware or injected skimmers. The researchers noted the excessive permissions that users may grant apps can be used to steal stored information from the devices such as contacts for phishing and spam campaigns, as well as banking authentication tokens via SMS messages when shoppers finalize their purchases online.
Here are a few best practices to note when downloading apps and shopping online:
Check app reviews on reputable websites
Review the access permissions being requested by the app and evaluate if they are necessary for the functions of the app
Directly type the retailers’ websites, and avoid clicking on URLs found in emails and text messages, especially from unknown senders
Limit the amount of personal information provided to websites and apps
Regularly update devices’ operating systems and apps