The Rise of The Fake Mobile Apps: How to Protect Your Business
Nearly 65,000 new fake apps were detected last year, in December alone. We explain what are fake apps and how you can protect your business from them. Nowadays, there is an app for everything, from pedometers, to meditation apps. We have covered fake apps often, in our articles, such as news that one student, single-handedly created 42 fraudulent apps or the 9-million users that downloaded fraudulent Google Play apps. Whilst Google Play regularly audits and deletes fraudulent apps, in fact, they deleted over 700,000 in 2018, fake apps still keep propping up.
Mobile phones are a no-brainer for targeted fraudulent activity – the low barrier to entry, and dominance in society and business make it the perfect breeding ground for fraud, crime and cyber-security threats. Yet, our reliance persists, as now, ‘mobile phone addiction’ has become a part of our modern vernacular and is even suggested to be added to the DMS Manual V, the official handbook, used by healthcare professionals globally. So, without too much doom and gloom, let’s get into the nitty-gritty about what are fake apps, and how you can protect yourself from them.
In this article/
- What are fake mobile apps?
- Hacking and hijacking via fake apps
- What can people do to stay safe?
- How can organizations protect themselves?
What Are Fake Mobile Apps?
Fake mobile apps are often Android and iOS apps that mimic the appearance and/or functionality of legitimate apps or genuinely provide legitimate functions, however they may have hidden functions that are potentially undetectable to the user. Essentially, fake apps are those that hide or obscure their real (often bad) intent behind an innocent intent. This could be a free spotlight app, that seems innocent, however, once downloads, actually start sending fake clicks from your device to simulate click injection. Thus, once downloaded and installed, these apps can do many harmful actions. Some are relatively benign: they only display annoying ads, which are intended to generate revenue. Others are more dangerous: they steal information and data, or they transfer payments and revenue to illegal sites. The problem is further exacerbated as some fake apps gain access to various phone functionalities such as your microphone or camera or they may even damage the phone itself.
In some unfortunate cases, mobile phones may even be the subject of ransomware attacks, where they are taken control of, and the user is locked out of their device, or perhaps important files are hijacked, and the user must pay a ransom in order to regain control over their data and device. Ransomware also affects other devices, such as PCs.
Hacking and Hijacking Via Fake Apps
Theft is obviously not ideal, however, perhaps an even worse outcome is that the hacker may be able to access the company network. Hackers require open doors to access a system or network, and finding vulnerabilities by hacking into an employee’s smartphone is a great way to penetrate a company.
Once the hacker enters the company system, the company does not have any protection. The hacker can then freely access sensitive data, or they launch Ransomware attacks against the company. Ransomware typically involves encrypting data, that will only be de-encrypted once the ransom is paid for. Once the hacker has penetrated the company system, they can perform all range of activities. So it is important that your employees take steps to ensure the safety of their mobiles, to prevent potential company system or network attacks. Here are a few tips on how to prevent employee smartphone from being targeted by hackers:
Tip 1: Education
Employees must be notified that their mobile devices are an excellent access point within the company network. Data security training should be mandatory for employees to use private and company mobile devices. The company can then set rules for individual mobile devices within the company, according to their cybersecurity safety needs and concerns. Whilst the threat might not be imminent, prevention is always better than cure.
Tip 2: Mobile Application Management (MAM)
There must be a very strict division between private use and business use. Employees must use business applications only for commercial purposes. It is a good idea to manage all the applications available on the company’s smartphone or tablet. This is also referred to as MAM (Managing Application Management).
Tip 3: Mobile Device Management (MDM)
The business owner should then manage the smartphones of all employees through a central administration. This is also known as mobile device management (MDM). With this tool, an administrator can implement all necessary patches and security features at once.
Tip 4: Guest Management
Smartphones or tablets only used by guests should be allowed to use a network within a certain secure guest area, that provides limited access to the Internet. The IT department must monitor the guest area in real-time so that any potential malware or digital threats do not spread to the rest of the company.
Tip 5: Tracking and Inventory
All mobile devices used by the company must be registered in an inventory. There should also be documentation (a concise summary) about each product and its current condition – manufacturer, product type, operating system, updates, installed patch level, and phone number. The more information you have stored, the more prepared you are for potential future complications.
Tip 6: Managing Controlled Risks
When an employee wants to use his mobile device for private and commercial purposes, the company must take special measures to ensure its safety. There are many possibilities for dividing usage. The first is to provide a container application such as an Aerovat container from VMware, Sophos Mobile Control 6.0, or a container terminal from QNAP NAS. The container app prevents copying sensitive data or transferring it to potential private and insecure apps like WhatsApp. If the Container app is not available, install a system where the employee must obtain employer approval before downloading any applications or programs.
Tip 7: If All Else Fails, Use a VPN
Make sure that all employees use an encrypted VPN to transfer and download data.
What Can People Do to Stay Safe?
Source: Symantec. This shows the distribution of Android and IOS apps that are running the most up-to-date version of their OS.
Many applications can take advantage of the security holes in one’s mobile operating system, so one of the best ways for mobile users to keep them safe is to update their operating system. However, staying up-to-date is not enough. For example, click injection utilizes the Android ‘broadcast’ feature in order to commit lucrative ad fraud from innocent and unsuspecting devices. Interestingly, there is a great contrast between iOS and Android devices in this area. Symantec 2019 ISTR found that 78.3% of iOS is running the latest version of iOS, while only 23.7% of Android devices are running the latest version of Android. Any device not running the latest version of its operating system runs a higher risk of exploitation by fake applications.
After updating the operating system, it is necessary to only obtain applications from reliable sources. Google and Apple App Stores have strict standards and test procedures for hosting applications, so they are more likely to be safe. So where do fake apps come from? A range of sources, such as spam emails (linking to app downloads), however, many apps are also unknowingly on the App Store and Google Play. Other sources of fake apps can be ‘cracked’ versions of paid apps that are actually illegitimate. Whatever the source, you should be vigilant before downloading apps onto your phone. Here are some main things to be aware of:
- How are the reviews? Is there an equal number of 1-star and 5-star reviews? Chances are, that the 1-star reviews are genuine users, and the 5-star reviews have been paid for. This is a common practice of illegitimate or fake apps.
- Who is the developer? Does the developer seem reputable? What is the state of the previously made apps?
- Copy-cats. Make sure you’re not downloading a copy-cat or imitation app. These are always potential areas of concern.
- Watch out for specific reviews: if there are a few reviews saying that the app simply does not do anything, or it does not do the intended action, then this is a huge red flag. However, more sophisticated fake apps will perform their marketed functionality, with a hidden agenda occurring in the background. Other reviews to watch out for are complaints of increased advertising, ransomware or other cybersecurity threats. You can specifically filter only the 1-star reviews in order to see what are the common complaints.
How Can Organizations Protect Themselves?
As a start, organizations should ensure that any mobile devices used by employees for work have appropriate endpoint security agents installed. Additionally, organizations should have unified endpoint management (UEM) or mobile device management (MDM) platform running, and they should also ensure device management is used to access their business resources. In essence, MDM and UEM platforms ensure that all phones on the network are updated. These systems also allow testing of IT applications, which prevents installing unsafe applications in the first place. Finally, with the development of new security integration, MDM and UEM platforms can provide other security capabilities, such as security checks and compliance checks, to ensure the organization is safe.
BYOD, or bring-your-own-device, has revolutionized mobile productivity, and in its earlier stages, organizations tended to adopt a hands-off policy towards employees with BYOD phones, which included a lack of security oversight or the installation of security apps or MDM/UEM agents on devices that the company doesn’t own. However, now we’re starting to see organizations stepping back and recognizing the risk that this represents. Many organizations are starting to develop policies whereby employees who want to use their phones to run corporate apps or to access corporate emails and other company services will need to allow them to be brought into the purview of the company security infrastructure. Ultimately, it’s important for companies and their employees to work together to find a balance that enables secure mobile device usage without intruding on user privacy. It’s a faily reasonble compromise in the face of significant risk from fake mobile apps and malware.
Final Thoughts on Fake Apps
Hackers are always looking for improvements in how they access the enterprise system. Hackers will target any organization, regardless of industry. Be sure to take steps to protect your company or yourself as an individual. Avoiding problems is much easier than fixing catastrophes. Fake apps are a growing problem. Organizations have long had a fear that mobile could be a threat, but low historic mobile malware rates, and the lack of mobile attacks, have led to a sense of complacency. This must end. Now is the time to make sure ad fraud protection is in place so that fake mobile apps don’t affect your company.