By now, I know you are already aware of holiday-related malicious mobile apps especially while shopping online, including games.
In a recent analysis, Barracuda researchers found hundreds of holiday-related apps. That was either outright maliciously or introduced the risk of device compromise. Through adware, excessive permissions, or a dangerous combination of permissions.
Surprisingly, the holiday season can lead to increases in a variety of threats. Especially, in the busy rush to get good deals, shoppers may be less conscious of who they’re buying from and more likely to miss red flags.
Consumers are expected to spend $730 billion on holiday shopping this year, and cybercriminals are hoping to grab a share of that money. While cybersecurity is always a concern, at this time of year, in particular, cybercriminals are looking to take advantage of distracted Holiday & Christmas Shoppers. After all, who let down their guard, especially those using mobile phones.
Therefore, keep up your guard this holiday season by learning more about these malicious mobile apps and look-alike domain scams.
What are Malicious Mobile Apps?
Malicious Mobile Apps generally target personal information and account credentials. Granting excessive permissions can allow apps to harvest a wide variety of personal information, which can either be sold directly or stored, making it susceptible to being leaked later in the event of a data breach.
Cybercriminals continue to find new ways to capitalize on the widespread use of mobile phones, including tricking unsuspecting users into downloading malicious apps or granting permissions that go too far and create vulnerabilities.
For instance, through Malicious Mobile Apps — Cybercriminals trick unsuspecting victims into compromising their mobile devices by downloading shopping, game and other apps that are malicious. Some permissions, while potentially dangerous, can also serve as good warning signs of a malicious app.
As an example, granting the ability to read SMS messages could be leveraged to intercept multi-factor authentication tokens. Similarly, granting the ability to send SMS messages could be used to send spam or phishing campaigns from your device. Also, granting access to your contacts could potentially harvest targets for spam or phishing campaigns via SMS/MMS, email, or phone
How do you Prevent Malicious Mobile Apps?
Malicious Mobile Apps have become more challenging to detect, and even more difficult to delete from a device without causing further damage. The trend of fake apps shows no sign of slowing down either. Of course, as bad actors have become more brazen with the apps they work to imitate. From Nordstrom to Fortnite to WhatsApp, it seems no business or industry is off-limits.
Using Barracuda Advanced Threat Protection (ATP), our research team scanned and analyzed more than 4,200 Android apps related to the holiday season. Including shopping apps, Santa video chat, and holiday-themed games.
Using ATP, Barracuda researchers identified hundreds of questionable apps:
- 165 apps had excessive or dangerous combinations of permissions
- Seven apps exhibited malicious behavior, such as replacing the app with a version downloaded from the Internet via a command-and-control server.
- 35 apps contained adware, which displays more invasive and potentially malicious advertisements than standard ad-enabled apps
Be diligent and avoid getting more than you bargained for when downloading holiday-themed apps by following these cybersecurity tips:
Enable parental controls and look before you click:
Be sure parental controls are enabled, to prevent app installs by children before an adult has had a chance to review it and ensure it looks safe to download.
Follow standard precautions when viewing email, clicking a link, or going to a website. Check the sender and URLs in emails to be sure they are legitimate. Be sure the website address is correct in the URL bar. Look for irregularities in the layout of frequently-visited sites after clicking links to them.
Check the reputation of every application you download:
Look at user reviews (or lack thereof) and how long the app has been around. Be aware of the permissions you’re granting, especially suspicious ones that can put your personal data and contacts at risk. Regardless of whether the app itself is malicious.
Consider whether granting the permissions make sense based on the nature of the app. For example, a shopping app shouldn’t generally require the ability to read or write text messages or access your phone. Likewise, most simple games shouldn’t require any permissions at all. After you’ve downloaded and installed an app, you can often block specific permissions from the settings.
What are others saying?
When it comes to fake apps, user reviews are your ally. Breezing through a few can provide vital information as to whether an app is authentic or not, so don’t be afraid to crowdsource those insights when you can.
By the same token, double-check the app developer name, product title, and description for typos and grammatical errors. Malicious developers often spoof real developer IDs, even just by a single letter, to seem legitimate.
Shop the website directly:
Typing the URL for shopping sites, rather than using in-email links, can also be effective at avoiding fake versions of popular sites.
In most cases, clicking the link in an email isn’t required for taking advantage of sale prices and any promotional codes provided need to be entered during checkout on the website.
If you’re attempting to download a popular app like WhatsApp, but it has an inexplicably low number of downloads, that’s a fairly good indicator that an app is most likely fraudulent.
How BEC Scam Stole US$1 Million: Look-alike Domains
A Chinese venture capital firm lost US$1 million to scammers who successfully came between a deal the firm had with an Israeli startup. The business email compromise (BEC) campaign used by the attackers consisted of 32 emails and look-alike domains to trick both parties of their authenticity.
They first created two domains that spoofed the official domains of the Chinese firm and the Israeli startup. The fake domains were simply the original domain names with an added “s” at the end. The attackers then used the domains to send two emails with the same header as the original thread.
On the one sent to the Chinese firm, they used the spoofed domain of the Israeli startup and vice versa. They assumed the identities of the CEO of the Israeli startup and the manager in charge of the transactions from the Chinese firm.
Both firms replied normally to the attacker, not suspecting the changes in the email addresses. Successfully coming between the two parties allowed the attackers not only visibility over the transaction but also a large degree of control. The attackers tweaked the replies of each party to suit their agenda (e.g., changing bank account details) before sending it to the intended recipient.
Defending your Business against Similar campaigns
BEC, despite being a well-known tactic against corporations, continues to cause huge losses for organizations. In August, one such scam cost the U.K.-based affiliate of heavy equipment manufacturer Caterpillar US$11 million.
In this case, the attackers had utilized spoofed domains to strengthen their assumed identities, another common technique that has been used in phishing schemes. Moving forward, BEC campaigns will involve both old and new tricks to make it harder for organizations to see through the schemes.
Trend Micro’s predictions report for 2020 foresees BEC scams involving new technologies like deepfakes that will make it harder to separate truth from deception. This is why organizations must be wary of such schemes. And use best practices especially when it comes to dealing with large sums of money.
Here are a few steps they can take to avoid similar schemes:
- Fund transfer and payment requests should always be verified preferably through phone calls confirming the transaction.
- Look out for red flags when it comes to business transactions. For example, a change in bank account information with no prior notice.
- Employees should always scrutinize received emails for any suspicious elements — for example, the use of unusual domains or changes in email signatures.
Enterprises can also consider using a security technology designed to fight against BEC scams. Such as Writing Style DNA, which is used by Trend Micro™ Cloud App Security™ and ScanMail Suite for Microsoft Exchange™. It can help detect email impersonation tactics used in BEC and similar scams.
Basically, it uses artificial intelligence (AI) to recognize the DNA of a user’s writing style based on past emails and then compares them to suspected forgeries. The technology verifies the legitimacy of the email content writing style through a machine learning model that contains the legitimate email sender’s writing characteristics.
It seems some malicious app developers have taken the phrase “fake it ‘til you make it” to heart. In that case, fake apps have become a rampant problem for Android and iPhone users alike. Even legitimate sources, such as Google Play and Apple’s App Store, have been infiltrated with illegitimate applications. Despite their own due diligence in combating this phenomenon.
After downloading a fake app, cybercriminals leverage ransomware or malware. Through ads to run in the background of your device to do damage, making it difficult to notice something’s off.
But, while you’re minding your own business, your personal data can be compromised too. Such as usernames, photos, passwords, and credit card information. Luckily, cybercriminals have yet to figure out a sure-fire way to get their fake apps onto our devices. As can be seen, by paying extra attention to detail, you can learn to identify a fake app before downloading it.
Finally, I hope the above-revised guide was useful for your online safety. But, if you’ll have additional contributions, suggestions, inputs or even questions, please Contact Us. And also, let us know how we can help you.