By Jan Sysmans, Mobile App Security Evangelist at Appdome
Mobile usage in the Philippines has exploded. DataReportal, for instance, finds that cellular connections now outnumber the country’s total population of 116.5 million. Furthermore, Appdome’s survey revealed that 47.9% of Filipino mobile users spent more time on apps, compared to the global average of 41.1%.
For cybercriminals, this growth offers new targets for them to exploit, not least, the growth of fake apps designed to victimize people and organizations. The rise of malware-infested fake apps can compromise people’s trust in digital platforms, increasing customer churn, ruining app makers’ reputations, and putting them under the regulatory microscope. Therefore, preventing such tactics is crucial so that organizations can continue to compete in the mobile app landscape.
How fake apps are built and why some become Trojan apps
Cybercriminals often create fake apps by cloning the resources and functions of legitimate ones and then redistributing them to alternative, non-approved stores. They may then hide malicious code and malware inside the fake app and instruct that malicious code or malware to start attacking apps on the mobile device where it is installed. Just like the Greek soldiers who were able to infiltrate and attack Troy by hiding in a giant horse, this hidden malicious code acts like a Trojan by allowing a hacker to install their malware onto the mobile devices of unsuspecting victims.
There are various reasons that drive cybercriminals to rely on fake and Trojan apps as their favorite attack method. Some look to divert advertising and sales revenue away from legitimate apps, while others gather personal data to make users pay for services they don’t need, and some use the Trojan app to infect a device with malware and use that to launch their attacks. In the mobile game world, cheaters create modifications of real mobile games to create mods to give them unfair advantages and ruin experiences for other players.
How fake apps exploit mobile devices and legitimate apps
When a fake app is opened for the first time, it may request that users grant it additional permissions before they are allowed to use it. Once this request is granted, fake apps will be able to harvest data or disrupt legitimate apps’ operations. In the case where the fake app is also a Trojan, it will be used to install malicious code or malware, allowing a hacker to launch a number of attacks. What’s worse, today’s malware can evade detection for a longer period of time, allowing attackers all the time in the world to inflict as much damage as possible.
In particular, Sharkbot is an Android-based Trojan that disguises itself as media players, live TV apps, or data recovery apps. These fake apps will bombard users with notifications, pushing them to provide access to their device’s Accessibility Service framework. Those who accept this request will inadvertently open the door for a number of attack vectors that are all looking to defraud unsuspecting mobile banking customers.
What users can do upon discovering a fake app
Deleting the fake app is the first step for users. However, they also need to assume that the malware may still be lingering on their device. For this reason, users need to log out of all their devices and disable all app permissions to purge any traces of the malware. As an added precaution, they should reset mobile devices to factory settings and restore important files with backups.
Preventative measures are also essential to avoid fake apps finding their way onto mobile devices in the future. In particular, users should download apps only from official stores, such as the Apple App Store and Google Play (but even the official app stores have apps that are infested with malware, so always use your best judgment). And before downloading, users should first check the app’s release notes to ensure that they are equipped with the best protection features. They should also not let their friends download and install apps on their behalf, as attackers can trick users into accepting fake versions into their systems.
App makers are the first line of defense against fake and Trojan apps
Appdome’s Philippine Consumer Expectations of Mobile App Security survey is very clear. Consumers expect app makers to protect them against threats, hacks, mobile fraud, and mobile malware. And the best way for app makers to continuously protect their apps against the ever-changing threat landscape is to apply developer best practices to mobile app security and automate the process of building cyber defense in their mobile apps directly in their CI/CD pipeline. Some of the protections that app makers have to consider to prevent their app from being modified are:
- Code signature validation protects app contents from being exploited to build fake or Trojan versions once they are published on the public store. It also prevents apps from being distributed through any other stores or methods.
- Runtime bundle and file validation can block hackers from modifying legitimate bundles, files, resources, and other executables, which would otherwise make it easy to clone apps.
- A no-code mobile defense platform can transform developers and security personnel to be more agile and flexible when building protection measures, allowing them to adhere to agreed-upon deadlines without compromising entire workflows. This solution should be able to provide teams with greater visibility and control over their security models.
Mobile apps are a central part of Filipino users’ daily lives but the threat of fake and Trojan apps can ruin their experience. These devious tactics highlight the need for robust mobile security — and the onus is on app makers to safeguard customer trust and confidence.