The Christmas season is always one of the busiest times of the year in terms of online shopping, and the methods to do so continue to evolve and expand.
According to Adobe Analytics' annual suite of online holiday retail predictions, 54% of visits to shopping sites will come from smartphones and tablets, surpassing desktop computers for the first time ever. This also translates to greater risks for mobile devices which may fall afoul of fake retail apps designed with malicious intent.
Scammers can leverage these apps to steal credit card numbers, user credentials, or other personal information through counterfeit retail transactions. This poses a significant threat to the enterprise with BYOD policies, as employees generally use one device to do many different things, including shopping online.
Sadly, this is not a new phenomena; last year the New York Times warned about fake apps purporting to be from retailers like Dollar Tree, Foot Locker, Dillard's and Nordstrom.
SEE: Mobile device computing policy (Tech Pro Research)
John Michelsen, chief technology officer at Zimperium, said that the opportunity for fraudulent activity is greater because more people are upgrading smartphones or installing new apps into their existing phone this season. Many new toys and services people might receive as gifts have companion apps required for operation, which drives hackers to create imposters of these apps.
Michelsen pointed to Pokemon Go as an example; its popularity spurred the development of fake apps which could read your data, location, and user activity and possibly sell this information to other parties.
Some users also download fake apps in an attempt to save money, Michelsen said. He used Evernote as an example; clones of this app will provide unlimited storage for free but are less reputable than the genuine app which costs $12 per month.The issue with free apps, he said, is that there has to be some cost involved to the company. Either they receive the cost directly from the user or somehow offset the cost with alternative revenue if it plans to survive. "If the revenue to support the development cost isn't coming from you at time of purchase, with ads, or in-app purchases, the fact is, they're probably making most of their money from selling your data from the back end," he stated. Such data might include user information, corporate calendars, emails, contacts, and location, all of which can be utilized to surveil a user.
We discussed the tell-tale signs of any fake apps, and Michelsen informed me that clues may not necessarily be present to the naked eye. "Some fake apps are spitting image of the actual app so it's really difficult to tell the difference," he said. Someone technically-inclined could analyze the details of an app and track down the developer to find out more about their background, he added, to look for any signs of unscrupulous activity.
A person with less knowledge of app security and development could identify fake apps using some common sense. Fake apps which already have your username but ask for your password could be imposter apps. Be on the lookout for poor spelling and grammar in the app details or description as well. (Why rely on someone's programming skills if they can't utilize simple language skills?) There are also mobile device management products such as application analysis tools which can help with the identification of fake apps, as well as mobile antivirus apps for better protection.
As the threat posed by fake apps grows, Michelsen said that companies are actually quite silent on app security and generally put the onus on the user; some companies may not have a legal right to read personal data from your personal mobile device. "International law varies on this and it is a big issue with multinational companies... it's really up to the user," he said.
Here are some other common sense tips to help increase awareness and engage in safe behavior:
- Download apps only from reputable app stores such as those maintained by Apple and Google. These organizations vet potential apps as thoroughly as they can to detect signs of malicious activity, but nevertheless some bad apples will still slip through. Nevertheless, your chances of obtaining a legitimate app remain much higher from these known sources rather than unknown.
- Be aware of popular trends and understand there is higher risk from fake apps associated with these trends, since malicious programmers will try to target as large a segment of the population as possible.
- Be wary if there are multiple versions of what seems to be the same app, particular if one version has a small number of downloads (likely fake) and the other a significantly higher number (likely legitimate).
- Check the release date on the app. An app for a popular company or service which has been around a while is not likely to have just hit the app store.
- Before you install any given app, read the reviews and search for it by name to investigate whether any complaints or reports of malware have arisen related to the app. However, be on the looking for gushing, glowing reviews which may indicate false statements, quite likely either by paid commenters or the hackers themselves.
- If you're a system administrator in charge of a mobile ecosystem using device management, consider using application whitelisting/blocking to ensure employees can only install apps necessary for their jobs, or prohibit known malicious apps from being installed.
- WhatsApp copycat fools millions; here's what that means for app security (TechRepublic)
- New 'Marcher' malware attacks Android users' banking accounts (TechRepublic)
- Malicious iOS app popup windows could be stealing your Apple ID (TechRepublic)
- New for the holidays: AR shopping experience of the future, paid for with your eyeballs (TechRepublic)
- 2017 Gift Guide: Best tech gifts for adults and teens (TechRepublic)
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.