Fake Mobile Apps: They May Be on Your Phone, But They Could Be Aiming at a Bigger Target
By Robert Arandjelovic
In today’s mobile-first world, there is an app for everything from dating to tracking your daily steps. “There’s an app for that” makes our lives easier and more convenient. There are also a number of third-party apps that can make your work life more convenient than ever before, helping you track your expenses, claim benefits, or collaborate with others. But at a time where mobile devices have become the center of many employees’ work lives, phones at work could become a growing cybersecurity threat due to the rise of fake apps.
What are fake apps?
Fake mobile apps are most often Android or iOS applications that mimic the look and/or functionality of legitimate applications, or provide legitimate functionality while hiding other malicious functionality, to trick unsuspecting users into installing them. Once downloaded and installed, these applications can perform a variety of malicious actions. Some are relatively benign: they merely display annoying advertising, aimed at generating revenue. Others are much more serious: they steal information and data, or they divert payments and revenue towards illegitimate sites. And it only gets worse, as some fake apps can take over functions such as the microphone or the camera, or damage the phone itself. In the worst cases, fake apps can lead to exploitation and ransomware, where the bad guys take control of the data on the phone (or make it accessible) and force you to pay to stop them from releasing your data or locking down your phone.
What can individuals do to stay safe?
Many apps are able to take advantage of vulnerabilities in the mobile operating system itself, so one of the best ways for mobile users to stay safe is to keep their operating systems updated. It’s as simple as that. Interestingly, there’s a huge discrepancy between iOS and Android devices in this area. Symantec’s 2019 ISTR found that 78.3% of iOS devices were running the newest iOS version, while only 23.7% of Android devices were running the newest Android versions. Any device that isn’t running the latest version of its operating system is more vulnerable to exploits used by fake apps.
Once the operating system is updated, it’s important to get apps only from trusted sources. The official Google and Apple app stores have stringent standards and vetting processes for apps that they host, so these are much more likely to be safe. So where do fake apps come from? Many people follow links in emails that invite them to download an app from a website. Others even jailbreak their phones in order to download paid apps for free. In both cases, the apps can come from illegitimate sources that won’t benefit from the same vetting process as those hosted on official app stores.
As a start, organizations should ensure that any mobile devices used by employees for work have appropriate endpoint security agents installed. Additionally, organizations should have a mobile device management (MDM) or unified endpoint management (UEM) platform running and ensure that devices being used to access work resources are managed by them. In their basic forms, MDM and UEM platforms ensure that all phones on the network have updated operating systems and apps. These platforms also let IT vet apps, preventing unsafe apps from being installed in the first place. Finally, with the development of new security integrations, MDM and UEM platforms can deliver other security capabilities such as security checks and compliance checks which ensure that the organization is protected.
BYOD has revolutionized mobile productivity, and in its earlier stages, organizations tended to adopt a hands-off policy towards employees with BYOD phones, which included a lack of security oversight or the installation of security apps or MDM/UEM agents on devices that the company doesn’t own. However, now we’re starting to see organizations stepping back and recognizing the risk that this represents. Many organizations are beginning to develop policies whereby employees who want to use their phones to access corporate email, run corporate apps, or access other company services will need to allow them to be brought into the purview of the corporate security infrastructure. Ultimately, it’s important for companies and their employees work together to find a balance that enables secure mobile device usage without intruding on user privacy. It’s a pretty reasonable compromise in the face of significant risk from mobile malware and fake mobile apps.
Why is the risk greater for enterprises?
All of the risks that individuals face can be amplified many times when fake apps infiltrate an enterprise. If the bad guys can access an unprotected phone, malware or leaked information can enable attackers to spread across the network, providing a route into other platforms and devices. A single compromised phone can let cybercriminals send fake emails, and even more serious, it can serve as a vector into the information systems of an entire organization. Because of the potential for attackers to use fake apps as a beachhead into the network, allowing malware and ransomware to spread or to leak out sensitive information, ensuring mobile devices are protected is an increasingly important enterprise mandate.
The fact that many organizations haven’t protected mobile devices as thoroughly as computers makes mobile devices particularly attractive for attackers. For instance, a phishing email, malicious URL, or an attachment opened on a corporate computer has a good chance of being caught by the endpoint protection on the device, or it could be caught by the security stack installed on the network. But a similar threat hidden within a fake app and opened on a mobile phone without security software installed or an up-to-date operating system means that there’s a much better chance that an attack will be successful. And once the phone has been compromised, it’s possible to do reconnaissance and target other parts of the network. All I need to do is find something compelling about my fake app to make people to want to download it.
A major threat for most organizations right now is ransomware and its ability to exploit organizations’ critical information. While ransomware attacks against individuals went down last year, Symantec observed that such attacks against companies increased by 12%. Additionally, mobile ransomware attacks increased by 33% in the same period, showing that attackers have recognized mobile devices as a vulnerable weak link that can be used to target organizations. As a result, the use of mobile platforms as a means of attack is going to grow, and we can see fake apps as a popular way of infecting devices.
Mobility and BYOD have represented a technological revolution, and it’s not going away. Moving forward, it’s vital that we think about security from the outset. Avoiding problems is much easier than fixing catastrophes. So, this is a call to action. Fake apps and the mobile vector are a growing problem. Organizations have long had a fear that mobile could be a threat, but low historic mobile malware rates, and the lack of attacks along that vector, have led to a sense of complacency. This must end. Now is the time to make sure protections are in place so that fake mobile apps don’t affect your company.