Home
News
You are here

Dangerous Apps: How they work and how to protect yourself

Updated: Nov 23, 2016, 4:04 AM

8comments

Dangerous Apps: How they work and how to protect yourself

Here at PhoneArena, we try to keep it positive. We love mobile technologies, so we're mostly optimistic about the industry and we try to pass that positivism to our readers. However, just like with anything else in this world, this coin has two sides.In the current piece, I will focus on the dark side of mobile apps.

And, if you'd allow me to rephrase the famous Rule 34, if it exists, hackers are already onto it. Mobile apps are no exception. Plenty of users had their devices infected with malware, their credit cards stolen or whatnot, just by installing a dodgy app from Google Play or the Apple App Store.For future convenience, I'll just call them “junk apps”, “fraud apps” or “insert-bad-word-here apps”.

What classifies as a junk app?

Now, before I talk about protecting yourself from such apps, let's get our terminology straight. What exactly do I mean when I say “junk apps”?

There are plenty of games and applications out there that are plain bad. Badly designed, badly optimized, plain stupid as an idea and so on. And while these apps are, without any doubt, annoying and useless, I'm going to leave them alone. They are not the result of malicious intent, but of lack of skill.

The apps I will talk about are the ones that have the sole purpose of tricking the user for the monetary benefit of the developer. Technically, there are two types of such apps that I know of.

An app running ads in the background, even when minimized. Image by Forensiq

The first type is the ad fraud one. Such apps are usually broken, buggy and useless. Their developers created them only so they can be installed on a user's device and forgotten afterwards. How do they work? The moment you open up the app, it starts loading ads in the background, one after another. You never see the ads, but they do load, refreshing at extremely high rates.

Forensiq, one the leading companies in ad fraud protection, conducted a study about a year ago and found out that such apps were installed on approximately 12 million devices worldwide. Affected users had both their batteries and data plans drained by the huge number of ads, reaching up to 700 different ads per hour, served in the background.

But ad fraud apps also hurt advertisers, who pay for their ads to be displayed. Instead, they are served where no one would see them and the money goes to the app developer, despite the fact that users don't actually see an ad. What happens can be explained in the following way – imagine you pay the rent of a billboard in the city center. The billboard owner takes the money, then takes the printed ad you gave them and throws it in a dumpster. Then they do the same to a hundred more advertisers, offering them the same empty billboard. Basically, they've scammed you out of your money. It's the same with background in-app ads.

The other type of junk apps is the data-stealing one. These apps are less common than the ad fraud ones, because they're harder to make and riskier if you get caught, but they do exist. The way they steal users' data varies.

Sometimes, it's through social engineering – fooling you into thinking it's a legit app or game, and asking for usernames, passwords, credit card info and so on. Such fraudulent app clones have been made for nearly all popular applications – Netflix, Pokemon Go, Overstock and many, many others.

Other times, they infect your device with malware, which automatically mines your user information from your device and sends it to its “mothership”. Or it allows third-party access to your device, which is then used by someone on the other side of the globe to break into your phone and take whatever info they want.

Typical ransomware screen (Simplocker Ransomware).

There is the ransomware type, too. It locks your phone and demands money, usually threatening with legal actions, if you don't pay up. There was one app, which scanned your Android device for illegal software (pirated music, for example), then got access to your social media profiles and locked your phone, demanding $100 dollars in 14 days, or it would post the illegal content through your social media profiles for the world to see and alert the authorities. The app specifically told you how much jail time you'd be facing for the content it “found” on your device.

And the last type of data-stealing apps is quite peculiar. Those are actually legit applications. They do work and, oftentimes, they work well. But they also gather data on the background. Such is the case with UC Browser (or was, since the latest updates made it a horrible browser too). A legit app, that people like and use, which leaks user identifiable information to third-party servers without even encrypting it first.

There are other scams on the mobile market, for sure, and even more will make their way to the Wild West of the web soon enough. Every time authorities catch one type of scam, a new one emerges, so I'm sure that hackers and scammers will find new clever ways to trick users. But for the time being, the ones described above are the most common ones you should look out for.

How to protect yourself from junk apps?

There is no easy way to be 100% sure that an app you're downloading is legit. But there are some things you can look out for prior to clicking the Install button. Not all apps exhibiting the listed traits are junk, but if a lot of the signs below are present, you should proceed with caution. If you apply some common sense too, you should be relatively safe.

The first thing to consider would be the legitimacy of the claims. Always ask yourself if it would be possible for the app to do what it claims it will do. A good example would be the numerous “color flashlights” on the Google Play store. Most smartphone flashes can't change color. They're made of a single white LED, instead of the special sets of three that are required for a multi-color LEDs. Also, there is no software support for such features in Android (as of yet). So, every app that claims it can change the color of your flash to a custom one, is quite clearly fake and suspicious. If you open up the comments of such apps, you'd see that they're also data and battery hogs. So, if you've read carefully until now, you should know that they're probably ad fraud apps.

A color flashlight app, downloaded over 50 million times.

Also, always read the description carefully. Does it make sense? Is it written in good English, or does it sound like it's been ran through Google Translate? What about the reviews? If there is a low number of them and they're all extremely positive, they might be paid for and not genuine. And if there are low star ratings, but no written reviews, it's highly likely that the developer has employed some clever, yet dodgy tactics to filter them out, like marking the unwanted reviews as spam, for example.

The permissions an app requests are the biggest giveaway. A wallpaper gallery shouldn't require access to your GPS location or call log, unless it has some fancy features that use them. A file manager shouldn't require access to your Google profile, unless it sports a Drive integration or other similar goodies, and so on. Always check the permissions you give an app, and ask yourself if they make sense, considering the app's features.

But even if you take every precaution prior to the download, you could still install a malicious app without realizing it. So, how do you catch that something's wrong?

Other than going neck-deep in debugging your device, you can tell something is not quite right by checking the data and power usage of apps. If you notice that something is draining your battery or data plan, always ask yourself if it has a reason to do so. If it doesn't, uninstall the app immediately and look for an alternative to use.

Also, make sure to keep an eye on your bank statements if you think you might have installed a fake app. If there are payments to an unknown person or account that make no sense, call your bank immediately.

Why don't Apple and Google clean up their stores?

Well, they do try. It's not like they like to have such apps in their catalog. They do have a review process for every new app or update submitted. Does the review process work? Well, sometimes.

In a lot of cases, however, it won't stop hackers and malicious apps going live on Google Play and the App Store. Just like with every other system, invented by man, you can trick the review process too. The most common way to do that would be to submit a clean app for review, and then change its content right before upload. This way, Google and Apple approve a clean app, but the developer uploads a fraudulent one.

Until recently, Apple's App Store was the safer one, due to its vigorous review process, but since legit developers started complaining about the long wait times before their apps go live, Apple lowered the bar a bit, which allowed some fake shopping apps to make their way to the App Store.

Average review times for iOS apps - down to just over a day, from about a week in one year. (appreviewtimes.com)

If you happen to stumble across a suspicious application, report it. There's no way for the teams behind the app stores to check each and every entry all the time. According to Statista, there are more than 4 million apps in Google Play and the App Store, so it would be easy for fake ones to blend in the crowd and scam people out of their money before they're taken down.

Conclusion

Junk apps are like junk emails – if you're careful and you make sure to use common sense, you would be generally safe. Unlike emails, though, there are no filters and folders on the app stores. So, do make sure to check thoroughly before you install anything. If you're not 100% certain it's clean, better look for an alternative. And if you're going to install shopping apps, always look for them on the official retailer's website and not through the search bar in your app store of choice.