Spoof Goes The Data

Spending money has become increasingly easy with the growth of the digital age. New technology has created a faster effortless shopping experience. One-click payments and mobile apps have revolutionised the traditional process for online consumers.

The ability to check a bank balance throughout the day or do a week’s grocery shopping on the move is now an essential part of most people’s daily life. 90% of mobile time is spent on apps, representing 57% of all digital media usage1. There are 2.7 billion smart phone users worldwide and the average user accesses 30 different apps each month2. However, technology advances spawn new avenues for cybercrime and this year’s fastest growing cyber threat is rogue mobile app fraud. Which involves brand spoofing to trick users. RSA security has found that fake mobile app fraud tripled in the first half of 20193 and according to McAfee’s Mobile Threat Report 2019 nearly 65,000 new fake apps were detected in December 20184.

But what exactly is mobile app fraud? It’s essentially the practice of downloading a pirated app onto your mobile device. These “pirated” or “cloned” apps appear to be legitimate but in actual fact contain malware or spyware. This has the ability to disable security functions allowing a cybercriminal to embed phishing attacks, access your data or create backdoors which later can be used for spying and remote access5. Less maliciously, the malware is often used to display advertising on your device without your knowledge to generate illicit revenue6.

Not every malicious app is created intentionally. Some unsavvy developers use pirated tools to create their apps which give access to sensitive data or in some cases damage the mobile device7.

For some businesses, apps create an always on presence for their consumers in which they can sell to them throughout the majority of their day. For others it is a level of authentication, enabling employees to work from anywhere and also providing a second line of endpoint security to their data. There is no doubt application technology is a useful tool to a business, however

•  In June 2018, fake Fortnite android apps were circulated and downloaded months before the actual game app was launched4. The fake app prompted users to download several other apps to unlock the ability to play the game. The downloads allowed cybercriminals to profit through display ads8.

•  In October 2018, it was found that several horoscope and phone power booster apps on the Google Play App Store were actually elaborate hacking tools. The fake apps had the ability to intercept and redirect text messages, bypass SMS 2FA, intercept call logs and download and install other apps on the user’s device. Some, even after deletion, maintained malicious code which allowed the hacker to resume access to the user’s device in the background9.

•  In September 2019, 17 apps created by the same developer were removed from the Apple app store: all contained malicious code that allowed artificial click through of ads in the background of the user’s phone, without the user’s knowledge. This generated revenue for the hacker by fraudulently subscribing the user to expensive content services10.

•  In December 2019, it was discovered that an Android vulnerability identified as StrandHogg11 allowed cyber criminals to create fake log in pages for legitimate apps and gain log in credentials, location information, access to text messages and even activate a devices camera and microphone12. The hacker effectively tricks the device so that when the icon of a legitimate app is clicked, the malicious version is displayed instead.

The sheer growth rate in this avenue of cyber crime alone is enough to question if application technology is enabling cyber criminals to commit fraudulent acts easier.

Understanding the dangers of downloading random apps onto our devices is the first stage in protecting yourself against mobile app fraud, but what other measures can be taken?

(1) BE VIGILANT!

Only download apps directly from a reputable source such as the Apple App or Google Play Store. This does not guarantee apps are malware – free but they will be deleted and removed quicker than on a third-party App Store. Before downloading it is worthwhile to research the app and look through reviews. This helps verify the app is not malicious and stops a phish in its tracks. We can’t always rely on the brand to have incorporated the best security into their apps, if a user does their own research and is vigilant when entering data, they can avoid getting phished.

(2) KEEP YOUR DEVICE SOFTWARE UP TO DATE

Any device that isn’t running the latest version of its operating system is vulnerable to exploits used by fake apps. Software updates usually include bug fixes and additional securities. Updating your operating system to patch these will prevent your devices vulnerabilities from being exploited. In 2019 Semantic ISTR found that 78.3% of iOS devices run the newest software version versus 23.7% of android devices6.

(3) ENDPOINT SECURITY

As a business, if an employee is using their own device for work purposes then it is in the business’ interest to ensure that the device has the appropriate endpoint security such as an MDM (mobile device management or UEM (unified endpoint management) platform. These platforms will ensure the IT department can prevent unsafe apps from being installed on the device through safety and compliance checks and at the very least ensure the device has an updated operating system.

(4) END USER TRAINING AND EDUCATION

One of the best ways to avoid being a target of phishing is to understand how to spot a phish. Structured security awareness training helps an end user to identify a fake app, fake web links, or text messages preventing them from being a victim of mobile app fraud and disabling cyber criminals attempts to access your data.

To learn more about endpoint security or security awareness training, please get in touch.