Our mobile phones are more than a device for calling or texting someone. It has reached a state that most of us can’t live without our smart phones; they have replaced our diary, wallet, map and so much more. This was possible by using applications meant to fulfill our needs. But these applications are capable of making us a target for cybercrime. Malicious apps can compromise your security no matter what type of phone you have. App stores play a critical role in keeping your mobile phone secure. There are always new apps being released, and it is exciting to download them as soon as they come out. If we do not take precautions, we may expose ourselves to viruses and malware that could cause harm to our devices. Malicious apps can launch a range of attacks from unwanted pop-up ads to installing ransomware that demands you pay to unlock your files.
Scammers will try any means necessary to trick you into installing a fake app. Criminals use emails and SMS messages that appear to be from your bank, Credit Card Company or other brands to trick people into downloading applications that will compromise their data. Sometimes fake apps will pose as security updates, and clicking on the links may also lead to your information being stolen. You should closely review apps to make sure they are not fake. Look for poor grammar or spelling, and make sure the name or brand is legitimate, fake ones can look very similar to the real one. If you are unsure about the legitimacy of an app, check for contact details sourced from official websites or materials. Cybercriminals may try to fool you with fake reviews that are often short and generic, so be sure to check out any other apps made by the developer. The more apps that developer has created, the higher the chance that the developer is the real deal.
Follow these guidelines to secure your mobile phones from fake mobile Apps
- Use only official stores such as Apple's App Store or Google Play for android phones or tablets for downloading Apps.
- Avoid installing apps by clicking on links in emails, social media, text messages and websites that look suspicious.
- Do good research about apps and their developers by reading the reviews.
- Use your device’s automatic update feature to install new application and operating system updates as soon as they are available.
- Read the fine print about how an app will protect your personal data. Some apps collect information such as your location and contacts.
- Look at the publish date. A fake app will have a recent publish date, while the real one will have an "updated on" date.
- Check for spelling mistakes in the title or description.
- Beware of apps that promise shopping discounts.
- Make sure you review and manage permissions for each app you download.
- Do not remove hardware restrictions—known as ‘rooting’ on Android phones and ‘jailbreaking’ on Apple phones—to install unapproved third party apps. This makes your phone more vulnerable to malware as it reduces the in-built security protection.
- Uninstall apps when you no longer need them.
Risks behind the Apps
Once your smartphone has been compromised by a fake app, hackers can take photos using the camera and access them remotely. They can also track your location, record any passwords you enter for other accounts, and even send text messages from your phone.
Malicious Behavior
- Accesses device management and restricted security APIs unnecessarily.
- Accesses or request user permissions
- Exploit operating system or zero day vulnerabilities
- Roots or jail break device
- Steals login credentials
- Communicate with known IP addresses and domains.
Moderate risk behavior
- Reads and sends email
- Reads and Sends SMS messages
- Reads and sends GPS Information
Dangerous Behavior
- Uploads user information without permission or without notifying user.
- Upload address book without notifying user.
- Reads SMS messages and send them off the device
- Include SSL vulnerabilities that enable communication to be intercepted.
- No privacy policy or refers to invalid privacy policy
- Installs boot time start up item
What do attackers target at?
- Credentials of your device ,email ,banking etc.,
- Personal data – Name, Address, Location data.,
- Card holder data – bank details, name, expiry date, CVV.,
- Access to your device – Sniff your connections, steal sensitive data
Attack points of target
- Data storage
- Key stores
- Application file system
- Application data base
- Caches
- Configuration files
Secure the Device: Detecting Compromised and Vulnerable Run-Time Environment
An Applications security depends on device security. Jail broken or rooted devices or the presence of rogue applications can represent an execution risk that may be allowed for certain enterprise apps but not for others. Mobile malware does not always rely on the device being jail broken. However, excessive use of permissions to the mobile applications which are granted by the user, often by default can provide malware and rogue applications access to basic services (e.g., SMS) used to facilitate fraudulent activities.
Secure the Data: Preventing Data Theft and Leakage
When mobile applications access enterprise data, documents and unstructured information are often stored on the device. If the device is lost or when data is shared with non-enterprise applications, the potential for data loss is highlighted.
Many enterprises are already looking into “remote wipe” capabilities to address stolen or lost devices. Mobile data encryption can be used to secure data within the application sandbox against malware and other forms of criminal access. To control application data sharing on the device, individual data elements should be encrypted and controlled.
Secure the Transaction: Controlling the Execution of High-Risk Mobile Transactions
Because mobile applications enable users to transact with enterprise services on the go, the risk tolerance for transactions will vary. For example, reading HR-related content may be deemed low risk versus the approval of a large payment to a new supplier.
Organizations should adapt an approach of risk-aware transaction execution that restricts client-side functionality based on policies that consider mobile risk factors such as device security attributes, user location, and the security of the network connection, among others.
Even when client-side transactions are allowed, enterprise applications can leverage an enterprise mobile risk engine to correlate risk factors such as IP velocity access to the same account from two locations that are far apart over a short period user access patterns and data access profiles. This approach extends the enterprise’s ability to detect and respond to complex attacks that can span multiple interaction channels and seemingly unrelated security events.
How to identify fake Apps
Cybercriminals and scammers count on their victims being too busy to notice anything’s amiss. Look at the WhatsApp options above. At first glance, the logos look similar and the developer’s name for each seems to be WhatsApp. But look closer and you’ll see the key differences that make the fakes stand out.
In fact, any time you are considering downloading an app, always ask yourself these questions:
- What’s the name of the developer?The name usually tells you everything. Why would Avast have an app developed by someone who is not Avast?
- Do the reviews and ratings seem suspect? Always review the reviews. 5-star reviews and 1-star reviews. In general, the more reviews, the more legitimate the app can be. If there are hundreds of reviews, you will know that the app has stood the test of time. If there are only a few, and they are upcoming and there could be very likely be phony reviews written by the criminal developer. In the case of the fake Avast app, ten people noted its fraudulence in the review section.
- High performance guarantee and too many promises? If the promises are odd, be cautious. The fake Avast app first insisted you had to give it a rating of five stars in order to activate it, which is a red flag in itself. But then it went on to promise that it would enter you for a chance to win an iPhone X, a device that Apple was not even selling at the time.
- Another cool way to find out if an app is fake or not, is to simple check in the Internet. Google “Is (app name) safe to install”. If the app has a bad reputation, it will show up in the search results.
- A simple countermeasure to this problem is a mobile security app. With constant scan and real-time updates, this app can block fake and malicious apps from getting installed on your device. And it can also block infections spread via compromised websites.
The harmful effects from these fake apps can vary from a nonstop surge of ads to stealing money and personal information, but they all have one thing in common: they are all entirely illegal. Publishing fake apps is called “scamming”. When you download these fake apps, you are in many cases putting money in the cybercriminals’ pockets. Every click can be monetized, and the more money they make, the more resources they can use to create more fake apps, and the cycle continues.