Fake apps are one of the biggest and most dangerous cybersecurity threats facing mobile users. According to McAfee, nearly 65,000 fake apps were detected in December 2018 alone, and Google has taken down thousands of malware-ridden apps, games, antivirus and financial Trojans posing as apps from the Play store.
Many of these malicious apps have had millions of downloads worldwide, and remain a major mobile security concern on Google Play as well as the Apple App Store. In 2017, Google removed 700,000 malicious apps from the Play Store.
Google Play has put in place a variety of safeguards designed to reject potentially malicious applications. But the bad news is, with every new innovation from Google, attackers constantly hit back by coming up with new imaginative techniques designed to con Google into accepting their submissions. Futhermore, the fake apps are getting better, and getting more downloads.
In this article, we look at what fake apps are, how they are distributed and how you can identify them.
Big companies like Facebook are able to chase down bogus apps across the internet and get them removed, but smaller businesses don’t have that luxury. For example Chingari, a short video app, has dozens of fake as on Google Play, some of which have been downloaded up to 50,000 times. Similarly, according to the co-founder of nCore Games, the number of fake apps on the Play Store runs into pages.
What are fake apps?
A fake app is malicious software program that mimics the look and functionality of a legitimate app, but has a dangerous extra payload. To create a fake app, all an attacker has to do is to register themselves as a developer. They can then download a legitimate app and inject it with malicious code. Once that is done, they can upload it to the Play Store.
The goal of fake apps is to deceive unsuspecting users into downloading them. Some fake apps are designed to rake in ad revenue by bombarding users with display advertisements.
For example in 2017, the fake WhatsApp application looked exactly like the legitimate version, and tricked more than 1 million people into downloading it before it was removed from Google Play. A fake Facebook Messenger app was downloaded over 10 million times. Fake apps and games are not to be taken lightly. Once your phone has been compromised by a fake app, attackers can steal your personal data, banking details, credit card information, infect your device with malware or harvest your login credentials.
They can also track your location, subscribe your phone to premium services, take photos using your camera and even send text messages from your phone. Avast has blogged about multiple banking Trojans disguised as apps. The problem of fake apps is compounded by the fact that roughly half of users cannot distinguish between real and counterfeit apps.
Examples of popular apps that have been faked include:
- Facebook Messenger
How are fake apps distributed?
Counterfeit apps can get onto your phone in several different ways:
Third party app stores.
Third party app stores are app stores that only distribute third party apps, and there are over 300 3rd party app stores worldwide. Each store has its own security vetting processes towards the apps they allow to be listed in their app stores, some of which may not be up to standard.
This means there’s a higher chance that some of these third party stores might offer pirated and malicious apps that can infect your mobile device with dangerous malware like ransomware and Trojans. For example, you might be able to get a popular app at a cheaper price on some third party stores, which may sound enticing. However, that app may have been injected with malicious code that can put your security and privacy at risk.
Official app stores.
Apple App Store and Google Play are the two biggest official distribution channels where you can download apps for your iPhone or Android device. Each platform contains native apps (apps Apple built for its iOS operating system, and Google built for Android). These platforms also include third-party apps, which are any apps built by independent developers or established organisations and created to work on Apple and Android devices.
The official stores implement strict security vetting measures for apps that are submitted to the stores for approval. Developers must meet rigorous security standards and follow specific quality metrics. In fact, Google has rejected 55% of Android apps submitted to the Play Store. However, some malicious apps are still able to slip through the cracks, and millions of malware-infected fake apps have been downloaded through the official app stores. Hackers infect popular apps with malware and upload the apps to the Play Store.
For example, a variant of an Android banking Trojan was found hidden in Solitaire and Flashlight apps. Once you download it, it will target banking apps on your phone and create fake overlays on genuine banking apps. This helped the app steal banking details. The malware targeted household names like Citibank, HSBC, Chase and many others.
Social engineering campaigns
Cybercriminals also use a range of social engineering tactics to trick unsuspecting users into downloading malicious apps or games that have been infected with malware. For example, they can offer knockoffs of popular apps at extremely low prices to fool users into downloading the fake apps.
How can I identify fake Android apps in the Google Play Store?
Many fake apps are almost flawless and near impossible to distinguish from the original which is why so many users fall victim to this type of cyberattack. For example, the fake version of WhatsApp fooled over 1 million users into downloading it. If you’ve downloaded a fake app in the past and want to ensure you never do so again, you must learn how to identify the characteristics that distinguish a knockoff from the original. Scammers rely on people not being meticulous enough to notice the discrepancies between fake and genuine apps. To avoid falling victim, it is important to sometimes take a few extra minutes before downloading any app.
Read on to learn how to identify bogus Android apps in the Google Play Store:
- Research the app name.
- What is the developer’s profile?
- What are people saying?
- What is the date of publication?
- How many downloads has the app had?
- Be wary of apps with big discounts.
- Check out the screenshots.
- Read the description.
- Check the permissions.
Research the app name.
Cybercriminals will often use app names that are very similar to the original because they cannot use the same name as the legitimate app. So, the app name will always be a variation of the original name. For example, the fake WhatsApp application used the name ‘Update WhatsApp’, which was enough to generate over 1 million downloads.
But the word ‘Update’ in the app name should’ve raised a red flag because legit apps never use such words in the app name. They would just update the app. If the name of the app is misspelt, even slightly, then you can be 100% sure that you’re looking at a knockoff. Another area to look at is the app’s classification. Many fake apps have the wrong classification. For example, if you see a messaging app classified as “Lifestyle”, that should raise a major red flag.
If there are several apps with the same or similar icons of the same app, that is an indication that you will have to take a few minutes to identify the legitimate apps. Research the app’s publisher. For example, a fake app for Overstock.com used the name Overstock Inc. as the publisher. A search of the app name will show that the name is bogus. You can do this by typing the name of each app into Google. This will reveal the fake apps because the legit apps will have several links back to the original manufacturer’s website.
What is the developer’s profile?
The developer’s name is placed right below the app. Before you click the download button, check out the developer by doing a search online. A real developer will have a professional website and other verifiable details. Take a look at their profile. Developers with tags like “Top developer” or “Editor’s choice” are highly likely to be authentic.
You can also do a search for the official website. If there is a discrepancy between the developer’s name and what is on the official website, then you’re looking at a malicious app. Sometimes though, this can be tricky. For example, in the case of the fake WhatsApp app, the developer’s name was identical to the official WhatsApp app except for a whitespace character added to the end of the name, which was enough to make it different.
What are people saying?
You can find out about other people’s experiences with the app by reading the reviews. Bogus apps will always have fake reviews. However, you cannot always rely on an app’s reviews because many users might still be enjoying the app’s features not knowing that the app is actually malicious. In any case, if there are not many reviews but they are all 5-star rated, that should be a huge red flag because it is not normal. You can generally spot a fake review because they generally lack depth and are often very generic with bad grammar.
What is the date of publication?
A recently published app that is in high demand can be warning sign that the app is bogus. Apps that are popular have been on the market for a long time, and would have gone through a few updates. Most fake apps will only be available for a short while in the Play Store and will not have gone through any updates. They will have the published date. Original apps on the other hand will have the words “Updated on” instead of a specific date. For example, the fake Overstock app had a publication date of October 26 2020.
How many downloads has the app had?
Popular apps generally have millions of downloads, but if the app is a knockoff, it will often have a few thousands or hundreds of thousands. For example, the legit Facebook app has over 500 billion downloads, while a fake app can have millions. If you see an app purporting to be a popular app, the number of downloads should tell you whether the app is real or counterfeit.
Be wary of apps with big discounts.
Cybercriminals often use big discounts to lure unsuspecting users to download malicious apps from unofficial and third party app stores. If you find a popular app that is offered at very low price, that is a huge red flag that the app is fake. During the holidays there is always a proliferation of fake, malware-ridden Black Friday and Cyber Monday apps with brand names of top retailers used in these malicious apps. The apps are typically designed to steal login credentials or credit card details.
Check out the screenshots.
Screenshots are another way to look for red flags. Screenshots are generally used to give users an idea of the app’s interface, and genuine developers will use professional graphics copied from the original app. On the other hand, scammers typically use image-editing software like Photoshop to create their screenshots. Now, there’s a chance that the screenshots may be stolen from the original Play Store listing to make them look authentic. But they will often use their own words and taglines that are not typically used by the original developer.
Read the description.
A poorly written description is a dead giveaway. Genuine developers will use good, clear English to describe their app and its features and benefits. Descriptions for fake apps are often riddled with bad grammar and spelling mistakes or look like they were produced by a bot.
Check the permissions.
Whenever you install an app, it will ask for permissions to be able to perform its full functionality on your device. If an app asks for permissions that are way more than it needs to perform its basic functionality, consider this a red flag. For example, photo editing app Meitu came under scrutiny when it started to access personal information such as location services, SIM card number, local IP address, etc. and sending the harvested info off to servers in China. If a camera app requests permission to access your location or contact list, you’re better off deleting the app because it is likely to be bogus.
What to do if you discover a fake app on Google Play
If you discover a fake app in the Play Store, the first thing you should do is to report it to Google and let them know the app is fake. To do this, scroll down to the bottom of the page and tap on “Flag as inappropriate”. Next, select the reason why you’re reporting the app, which would be the Copycat or impersonation option. Tap on submit, and you’re done.