There are more mobile apps than ever before – 2016 broke all previous records with the Apple store alone reporting it houses over 2.2 million apps, up over 20 percent from the previous year.
But where consumers go, cyber-crime follows. Just last month, the National Crime Agency, in a major report on “the cyber-threat to UK business” warned us that “mobile malware continues to increase in both volume and sophistication”. The report suggested there are three main concerns for consumers and businesses alike, malicious apps, fake apps – and SMS phishing, or SMishing.
As mobile increasingly becomes the first choice for internet access, it is perhaps no surprise that the report noted that “it is more likely that mobile attacks will form part of the attack chain to target consumers and organisations, for example being used as a reconnaissance tool to gain access to various user login credentials”.
Fake news for fake apps
Fake apps are one of the most common tools in the cyber-criminal armoury given their potential for credential theft. These rogue apps mimic a brand or organisation to trick users into downloading them, often with enticing “deals”. The threat is commonly understated – the widespread perception is that fake mobile apps are confined to unofficial app sources. Others mistakenly believe that iOS is near to being “safe” with Google Play being much less so. Both suppositions are only partly true; there remain plenty of risks for business and users on official platforms and beyond.
To illustrate this point, take the “real news” just before Christmas when Apple removed hundreds of apps that were spoofing famous retailers, including Jimmy Choo and Christian Dior. The US Federal Trade Commission followed this up with an official warning to American consumers about the danger of fake apps, noting that as well as taking credit or bank information some malicious apps also came loaded with ransomware.
In the UK earlier this year, a fake Super Mario app appeared on the official Android store, which went on to steal information from users. Similarly, UK consumers were also caught up in a global scam last year when the official US version of the Pokémon Go app was hacked before it launched elsewhere. The associated Android application file (APK) appeared on unofficial sources but was modified with a Remote Access Trojan (RAT) that gave attackers full control over a victim's phone.
Legit apps can damage a brand too
Some of the risks in legitimate apps may appear more benign, but they still have potential for brand damage. For instance, in the increasingly complicated mobile advertising model, many apps include affiliate links that may mislead or confuse users. There can also be issues with a company's own apps, which include redundant copies of apps on stores that are not current. Some are just badly designed and open to exploitation, analyst firm Gartner estimates that more than 75 percent of mobile applications will fail basic security tests.
Digital Shadows recently introduced mobile application monitoring to identify and mitigate these risks and within a week of this new feature, at just one financial services client, it identified 39 incidents of mobile applications that pose a risk to their organisation. This included mobile apps with malicious code, impersonation, and unauthorised use of the company brand. While many of these came from third party app stores, some were still from official stores.
Making sense of an increasingly complicated digital footprint
This is clearly just a small sample size but it shows that we all need to do a better job of monitoring and managing mobile apps and identifying malicious and unsanctioned applications in official and third-party application stores.
Mobile is no longer a niche or isolated part of an organisation's digital footprint. Firms must be made aware of any apps that could be impersonating or spoofing their brand – they have a responsibility to not only protect their consumers but also their own reputation. Our digital footprint continues to expand and become ever more complicated. Cyber-criminals thrive on this complexity.
In the last year we have seen mobile web usage overtake desktop for the first time – as the consumer predilection for all things mobile increase, cyber-criminals will only apply more resource and effort to exploit the channel. To get ahead of them and mitigate the threat means that we need to look at the entire digital footprint we have and get on the front foot to protect our organisations and customers.
Contributed by Michael Marriott, research analyst, Digital Shadows
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.