MORE THAN 50 APPS WERE REMOVED FROM MOBILE APP STORES IN OCTOBER 2019 HAVING BEEN FOUND TO BE SERVING MALICIOUS ADS TO MILLIONS OF USERS 18WANDERA & ESET
Ok, so there isn’t an app for this specifically, but you may have apps on your phone that are collecting data you’re not aware of and, worse still, you could have a fake version of a legitimate app on your phone and not even know it. I get it, you probably didn’t even know this was a thing, but when you think about it, it makes perfect sense that cyber criminals would target the app stores where so many developers have made a fortune since the rapid proliferation of smartphones across the globe.
Imagine the scenario, you’ve got a new phone and you didn’t have a smartphone before so you’re really looking forward to making use of the extensive app store that your it allows access to. You download some social networking apps, entertainment services, maybe some games. Then you realise that it would be really useful to have access to your bank account through your phone. You go onto the app store, have a quick search for your bank. Multiple apps come up and you pick the one that looks right and hit download. You enter the details required, go through the authentication processes and you’re about to be able to access your account right? Perhaps not. You could have downloaded a fake app which the nefarious publisher has made look legitimate through the use of clever design and correct logos and they now have all the details you inputted to do what they like with.
This scenario may sound far-fetched, but it’s actually perfectly plausible as fake banking apps have been discovered in app stores in the past. In fact, cybersecurity company ESET has done a fair amount of research in this area and in August 2018 revealed on its blog that it had discovered three fake apps for Indian banks on the Google Play Store, which were leaking credit card data. 19 Follow up research from the company, reported on over the next few months uncovered further fake banking apps for prominent banks in other countries, including Australia, New Zealand and the UK, which had been downloaded more than 1,000 times before they were removed. 20
It’s by no means just fake banking apps that pose a threat, as some criminals will build apps simply as a vehicle for malware. Just days before I wrote this chapter, ZDNet reported on a new form of Android malware called CallerSpy, which is designed to monitor calls, messages and take screenshots of a consumers’ phone. 21 This malware was apparently delivered through two different chat apps as a front. However, perhaps the most successful fake app to make it onto phones was a fake version of WhatsApp that was discovered in 2017. The app was designed to look as similar to the real app as possible (with publisher names even being very similar) and was downloaded over one million times, before it was removed from the store. According to a report on BGR, the objective of the fake app was “to trick users into clicking on third-party ads and coerce them into downloading, presumably, malicious software.” 22
As far as the two major mobile operating systems go, the problem of fake and malicious apps has been more widely documented on Android. As a result, if you’re an iPhone user you may think you’re safe, as malicious apps weren’t an issue that impacted iPhones anywhere near as much, partly because of Apple’s more stringent app review process and partly because the nature of an iPhone makes it more difficult for a virus to propagate. For example, have you ever tried to download anti-virus software for your iPhone? Well if you have an anti-virus package it will often provide cover for up to say three or five devices, but you may find that the app you have on your iPhone will not offer you the option to do a virus scan in the same way that you can on your laptop. This is because iPhone apps are only allowed to operate within their own sandbox and are not able to scan other apps and files, rendering anti-virus software ineffective and making it much harder for a virus to propagate. It has also been cited that since Apple’s app review procedure is so stringent, anti-virus software shouldn’t be necessary. However, despite it being less common on iPhone, malicious apps do get through, and a report from Threatpost in October 2019, cited 17 malicious apps which Apple had removed from the App Store, due to them containing malware. 23
Malware is certainly more prominent on open app stores (i.e. systems which do not restrict apps in their access or conduct strict reviews before approving an app for the app store). Not that the owners of these app stores aren’t taking proactive action to get rid of these malicious apps – there were many reports in early 2018 that Google had removed 700,000 malicious apps from the Google Play store in 2017 alone. However, that doesn’t really help you if you’ve already downloaded an app with malware onto your phone.
This is admittedly a minefield and it’s made even harder to navigate by the fact that you also need to be careful about the security apps you are downloading. In March 2020, Forbes wrote an article on Clean Master, “An Android Security app with 1 billion downloads… recording users’ web browsing,” which was banned from the Google Play store but “is one of Android’s most downloaded apps ever and is likely still running on millions of phones.”
At this point, I feel I’ve mentioned malware a fair amount without explaining it so let’s have a very simple definition. It is essentially a catch-all term for any software that is designed to do harm to your computer or connected devices, whether that be stealing data, logging your actions and keystrokes, or making your devices do background actions which make criminals money. Kaspersky gives a more detailed definition that is very helpful, it reads:
“MALWARE, SHORT FOR “MALICIOUS SOFTWARE,” REFERS TO A TYPE OF COMPUTER PROGRAM DESIGNED TO INFECT A LEGITIMATE USER’S COMPUTER AND INFLICT HARM ON IT IN MULTIPLE WAYS. MALWARE CAN INFECT COMPUTERS AND DEVICES IN SEVERAL WAYS AND COMES IN A NUMBER OF FORMS, JUST A FEW OF WHICH INCLUDE VIRUSES, WORMS, TROJANS, SPYWARE AND MORE. IT’S VITAL THAT ALL USERS KNOW HOW TO RECOGNIZE AND PROTECT THEMSELVES FROM MALWARE IN ALL OF ITS FORMS.” 24
However, it’s not just malware that needs to be a consideration when it comes to smartphone apps, you should also think about what other data your apps are accessing and why. Even in a sandboxed environment, apps are able to access other data on your device as long as you agree to the terms and conditions. I remember an outcry when this first became an issue around what I remember to be a torch app that required access to the contacts on your phone. Why would such a mundane app require access to this data? Think about the amount of personal data you have on your phone nowadays, it’s probably more concentrated there than on any other device you own. Wouldn’t you want to be sure you know who you’re giving access to what data and why?
Well for a start there’s location data, and this is a pretty easy one if you have an iPhone or Android phone as if you go into the settings for any app you can toggle whether it has access to your location data and the options are ‘never’ (on iPhone), ‘while using the app’ and ‘always’. Beyond that we start to get into the weeds and this is where the terms and conditions become important. I’ll give you an example you’ll likely know, especially if you live in a city in the US or Europe. That example is Uber.
In a very informative book entitled ‘Super Pumped: The Battle for Uber’ , the author, Mike Isaac explains the tactics that Uber used in data gathering for its app that caused a head on run in with senior executives at Apple. Isaac explains (Chapter 16 ) that the International Mobile Equipment Identity (IMEI) number of iPhones was important to Uber in combatting fraud, but Apple had released a version of iOS which did not allow third party access to this. This was in keeping with Apple’s very public focus on privacy of users, but this wasn’t very helpful to Uber in its battle against fraud. Isaac goes on to explain how Uber worked with a third party company to insert code into its app that would uncover the IMEI number of a user’s iPhone. This was a clear violation of Apple’s privacy policy and didn’t go down too well with the tech giant for obvious reasons.
One last point on the data that apps are accessing on your phone is in relation to those that pretty much come out of nowhere and go viral. One such example is FaceApp, which took smartphones by storm in summer 2019, by allowing you to take a photo of someone and then showing what they will look like when they’re old. This app was developed by a Russian company and in the days or weeks following its launch, the FBI described it as a possible “counterintelligence threat.” 25 Whatever your thoughts on this warning, it should make you think more about the data you’re allowing apps to access and who you’re giving this access to.
I appreciate that this may be a lot of worrying information about a device that you use multiple times a day and place your trust in for a wide variety of tasks, and for which you may not have even considered the security implications. There is however, no need to panic since there are a few things you can do to ensure you’re as secure as possible: