1,300 Bad Apps Spoil The Bunch

If you liked it, then you should’ve put a dollar on it: words Beyoncé might sing to someone who didn’t want to pay for a mobile app and went for the free version instead. Just because an app is free, eZanga CEO Rich Kahn told CNBC, doesn’t mean users aren’t paying for it in some way.

That way is likely to be unauthorized use of your device to watch videos and click ads while you’re not using it, eZanga found. The study showed that such fraudulent ad traffic could be costing advertisers as much as $2 million to $10 million daily.

These remote-controlled, mobile IP address armies are known as botnets, and they aren’t just used to generate ghost clicks for advertisers. Mobile malware can sit invisibly on a device until it’s remotely triggered, at which point a cybercriminal can use the botnet (likely millions of devices strong) to launch a distributed denial of service (DDoS) cyberattack or hack into secure WiFi networks. Or, he could simply take over the device.

In other instances, cybercriminals are using malicious software to cheat people out of money by registering them to premium services without their knowledge. The software then sends fraudulent premium SMS messages “on their behalf,” charging their accounts for the fake services.

Google Play Store Snafu

That’s exactly what was happening to victims who downloaded one of 50 or more apps containing malicious code from the Google Play Store last month, including several photo apps like Shiny Camera and Fancy Camera, as well as animated wallpapers featuring pictures of cute animals or nature scenes.

The Independent lists all of the blacklisted apps discovered to contain mobile malware. Dubbed “ExpensiveWall,” the malware was coded in such a way that the malicious code did not appear until after the app was downloaded, helping these apps slip under the radar when they were added to the Google Play Store.

There are a lot of malicious apps out there, and they seem to be multiplying — particularly in the Google Play Store. In June, the eZanga study found 312 apps containing a software development kit (SDK) module that would generate ad traffic and play videos while the phone was “asleep.”

Within a week, that number had doubled to 750, and it soon doubled again to more than 1,300. More than 300 of those mobile apps were available from the Google Play Store. Google took down a spate of them in August, only to have new ones appear within days.

As CNBC noted, part of the reason for that is the difference in app review processes between Google’s app store and that of its prime competitor, Apple — namely, that Apple has one, and Google sort of doesn’t. Oh, apps submitted to Google Play are automatically scanned for malicious code — but Apple is meanwhile reviewing every single submission manually. Plus, Apple just introduced a whole new set of App Store rules and regulations.

Of course, the App Store’s strict review process leaves many legitimate developers frustrated too, driving many of them to list their apps in the Google Play Store instead. But that same ease of upload is exactly what attracts these fraudulent developers and their fake apps.

According to a recent report by RiskIQ, while both Apple and Google added around the same number of new apps in Q2, Google topped the list of “Blacklisted App Stores,” while Apple didn’t even make the top (or rather, bottom) 10. So, clearly it’s doing something right with that strict review process, no matter how onerous it may be.

Safety First: Tips for Responsible Downloading

The good news from RiskIQ was that blacklisted apps were down by 40 percent this quarter, which means that either app stores or consumers are getting smarter. But when one of the most trusted sources of apps is performing this poorly at weeding out the bad ones, there’s always room for more consumer education. So, here are a few tips gleaned from the report.

First, while Google Play may not have the greatest track record, users are still better off downloading apps from an established app store. Always beware of “feral apps,” which are downloaded directly from the internet rather than from a store.

There are many secondary app stores in addition to Apple’s and Google’s, but these, too, may be riskier than they’re worth. As these less-regulated stores grow in number, the report shows they’re becoming a primary source of blacklisted malicious and fraudulent apps.

Second, even while shopping in a “trustworthy” app store, practice skepticism. Don’t just click “OK” on every requested permission. Read those requests carefully. Ask whether they match up with what the app is claiming to do. If that free photo editing app says it needs access to SMS messages, don’t trust it.

Also, don’t be too quick to trust reviews or download counts. Ten million people downloaded the recent “Judy” malware embedded in Google Play Store apps. There is no safety in numbers.

Third, vet the developer (if there is one). Legitimate apps from trustworthy brands will provide equally legitimate developer email addresses. Think twice about downloading that app if the “developer” is using a free email service like Hotmail, Gmail or Yahoo. And if no developer is listed, just click away.

Finally, mobile device users should make a habit of watching their data usage and monitoring running apps. Those who are still using older devices and mobile operating systems would do well to update. Regular updates are always a good rule of thumb with any technology, since developers release patches and fixes for known vulnerabilities, and mobile OS updates can mitigate malware and lower the risk of a cyberattack, even if it has already been installed on the device.

Google is reportedly aware of the issues with its app store and is working to leverage tougher standards on submitted apps. Still, in a fast-evolving threat landscape, when is it ever a bad idea for consumers to practice extra vigilance when it comes to mobile retail?