These are apps in mobile devices that trick users into downloading them by using legitimate companies or popular references. They may also pose as quirky and attractive apps, providing interesting services like live wallpapers or real-time spying tools. Once installed on a mobile device, fake apps can perform a variety of malicious routines. They can persistently push ads, track and report location and other sensitive information, or subscribe users to premium services without consent. These can all lead to loss of data and privacy and waste of device resources.
To a cybercriminal, generating interest of the online public is easy by baiting users with apps that generate buzz in the mobile device-using world. Even from official sites, risks still abound in these app-distribution platforms, enough to prey on a trusting user.
In a Trend Micro research, 890,482 apps were discovered coming from different sources as of April 2014. Proving to be more than just copycats, fake apps were said to be high-risk apps or malware. Among the discovered fake apps, 59,185 of which were aggressive adware while 394,263 were flagged as malware.
Repackaged apps fall under a category of fake apps, used by cyber crooks in distributing mobile malware. Similar to fake apps, they make use of social engineering tactics and mask official versions of apps they have spoofed to generate profit. They have the capability to display similar user interface, icon, package names, and even app labels that may easily pass as the official or legitimate version of the app they are copying.
Trojanized apps, unlike repackaged apps, are always labeled as “malicious” as they exhibit harmful behaviors. How do cybercriminals do this? It is known that legitimate developers reap revenue by pushing advertisements to users. However, online criminals add mobile ad software development kits (SDKs) to their own creations or replace such mobile ad SDKs in existing applications available and take revenue away from original developers.
Google Play has become a target of cyber-attacks because of its app distribution model. Its vulnerability stems from the fact that it is open to developers even to those who are just posing as one. Cybercriminals can easily register as a developer, download a legitimate app, insert malicious codes, and re-upload it to the Google Play. In the same manner, third-party sites that are aimed at providing alternative apps for users are now hosting malicious, repackaged, and pirated applications.
Cybercriminals under the guise of credible developers easily trick users into downloading rogue apps into their devices. In our course of research in 2012, we have encountered fake apps supposedly created by Rovio Mobile Ltd., makers of the successful downloadable game Angry Birds, listed in the Android Market. Noticeably, the game made famous by the developer is not part of the list of available apps and yet it is easy to miss that the name of the developer is simply used as a trick used for users to unwittingly download apps in their roster. When investigated closely, “L” in the word “Mobile” is actually an “I”, revealing that the actual name of the developer is rovio mobiie ltd..
Names and icons used for the apps originate from existing apps but once the user tries to install any of the displayed apps, it will lead them into a modified image (also taken from its legitimate counterpart) instructing the user to click the link to complete the installation process. Lured to follow said instructions, the user will then be led to a webpage where he/she will be asked to fill up in order to unlock the “full version” of the chosen app. And yet, instead of the promised app, the user is redirected to advertisements. This only goes to show that cybercriminals are learning the ropes to play with an app store’s reputation system.
In the same light, in 2012, the gaming app Temple Run was detected to have a fake app version available in the Android Market platform. Claiming to be the famed app, it was noticeable that the name of the developer was not Imangi Studios, indicated in its original iOS version.
Once installed and run, the fake app displays shortcuts seen on the infected smartphone’s homepage. If the device is Android-based, the user will be asked to share the fake app on Facebook and rate the app in the Android Market before accessing the game. At the same time, it was also capable of displaying ads using the mobile notification. Once tricked to do as instructed, the user will be directed to a countdown of the said app’s release instead of the actual game. Because of its aggressive advertising, we classified the fake app as a malware detected as ANDROIDOS_FAKERUN.A.
This also holds to be true in several fake versions of messaging apps cropping up in app stores. Collecting millions of registered users worldwide, it is expected to see malicious versions to emerge and inflict harm among users for profit. Such is the case with the Trojanized and fake versions of KakaoTalk detected in 2013.
In today’s ever-evolving technology-driven society, it is easy to fall into the traps left by cybercriminals. A mobile device user has an average of 41 downloaded apps. With the demand still growing for more ways to expand one’s mobile device use, it is expected that more and more ways will be sought by cybercriminals to take advantage on this clamor for newer, more advanced apps.
The biggest armor a smart mobile user can wear is to stay well-informed of the many ways a cybercriminal could take advantage of mobile device’s vulnerability. These simple steps are key in keeping your app-world safe from threats: