In a blog post published on early Monday morning, the anti-virus giant revealed that it had found two fake applications pretending to be from the company, as well as other apps pretending to be from Google, Mozilla, Netscape, Internet Explorer and Safari.
The first, bearing the name ‘Kaspersky Mobile' (Kaspersky has no product under this name), was a paid-for application and was found on the Windows Phone store, which was a surprise to the researchers who say that scammers tend to prefer more popular application storefronts like Apple's App Store (iOS) and Google Play (Android).
The application pretends to scan for files, but a look at the screenshots shows some anomalies – most notably a bar for “heuristic analysis”.
The fact that it charged for the application would seem to indicate that the scammers are after a quick reward, and that they weren't using it to demand payments to remove “malware”, researchers concurred.
The second application was found on Google Play and went by the name of ‘Kaspersky Anti-Virus 2014' (which, again, doesn't match one of the company's products) and its screenshot was copied from the official Kaspersky Internet Security for Android page.
However, while the name and images may look official, Kaspersky says that there are several warning signs, most notably that there is no scanner in the app, and also that the app features a “random series of statements” close to the copied company logo.
“The story of paid fake AV for mobiles started with the appearance of Virus Shield in the Google Play store,” said Roman Unuchek, senior malware analyst at Kaspersky Lab.
“Now we are seeing how one successful scam spawns numerous clones. Scammers who want to make a quick buck from inattentive users are selling dozens of fake apps, copying the design, but not the functionality of the original.”
“It is quite possible that more and more of these fake apps will start appearing. However, one thing for sure is that the security mechanisms put in place by the official stores cannot cope with these kinds of scams.”
Zscaler director of security research Michael Sutton said that the scam apps were most likely produced by hackers looking for quick and easy money.
“In the case of the fake AV products that we've seen recently, most aren't doing anything malicious, rather they're straight social engineering scams designed to make money,” Sutton told SCMagazineUK.com. “The apps don't infect the device; they're simply an effort to get the end user to pay for an otherwise free or non-existent app. In some cases the apps don't do anything at all.”
But while the applications themselves are relatively harmless, many information security professionals were scathing on the app store approval process used by Google (with Bouncer, an automated behaviour-based scanner which simulates a given program to look for malicious behaviour), Microsoft and – to lesser extent- Apple.
Sutton said that automated approvals look for malicious behaviour and “not vulnerable apps or social engineering scams” and added that more needed to be done to vet developers. Amar Singh, chair of the ISACA London Security Advisory Group, said that fake Android apps are commonplace, given the number of third-party application storefronts.
“Google has very little or no curation - at least in the sense that anybody can publish their app and start their own app store. I know of at least 20 different app stores where I can download an Android app - this fact alone (not considering the strength/weakness of the operating systems of Apple and Android) makes the Android market place a dream come true for scammers and malicious hackers,” he said.
“There is no doubt- that if its not already happening, as smart devices get more powerful, smarter and way more pervasive in our lives, that they are the perfect playground for the next generation of aggregated process and impact intensive attacks.”
Sutton urged users to “take note of the developer listed for a given app and go on the developer website listed within the app store”, but Singh suggested that the onus should be on the app store vendors.
“Putting the responsibility on the end user to be able to detect a fake is the wrong approach. I openly admit that people like me could be easily fooled by cleverly designed apps. Who has the time to go about checking the integrity of the app?”
TK Keanini, CTO of Lancope, agreed that the app store validation process needs to be better, but believes that Google and Microsoft will catch up with Apple in time.
“This absolutely speaks to the app stores validation process. The weaker the process, the more malicious apps make it to consumers. People complain about the rigour of Apple's process but it works. Others will get there, like it or not.”