Security correspondent Daniel Bardsley speaks to industry experts on how end-users can steer clear of malicious mobile applications.
Over the holiday season at the end of last year, countless people around the world were given new Amazon Alexa virtual assistant devices – and were keen to try them out.
Many went on to the Apple App Store to download a mobile phone app that would show them how to configure their shiny new piece of kit.
There waiting for them was a free app, “Setup for Amazon Alexa”, that sounded perfect.
Many iOS phone users downloaded the app, making it, at one point, one of the 100 most popular free apps.
However, all was not as it should have been.
Many of the thousands who gave the app a rating complained that it failed to work properly, leaving them unable to operate their precious Alexas.
What is more, some were worried that had made themselves vulnerable to being hacked, as they had provided their device serial number, IP address and other details.
Following a flurry of complaints and multiple news stories, Apple ejected the errant app from its official store.
Android phone users too have been plagued by fraudulent apps, thousands of which have come and gone over the years.
Many are simply annoying because of the advertisements associated with them, while others create much bigger problems.
According to Dr Tom Chothia, a lecturer in Computer Science at the University of Birmingham in the United Kingdom, “by far” the majority of bad apps will either be stealing personal data from users or plaguing them with advertisements. Such apps are often “relatively low impact” in their effects.
“The vast majority of apps out there are making money advertising to people who don’t want to be advertised to. Apps that try to steal money are relatively uncommon,” he says.
Bad apps are often put into one of two categories.
One category, “potentially unwanted apps”, includes apps with aggressive advertising, says Professor Igor Muttik, CEO of the cybersecurity consultancy Cyber Curio.
Also included are tracking apps, which can be abused without the device owner’s knowledge and can report or record location data.
Another type of potentially unwanted app that Muttik highlights is one with “little regard” for personal data and that may transmit data “which no sane user would approve if they knew about it”.
“[These], essentially, monetise their victims by reselling their data (not always personal data, they may re-sell aggregated data),” explains Muttik.
A complication when it comes to potentially unwanted apps is, says Muttik, the fact that the majority of free Android apps are supported through advertisements, something facilitated by developers incorporating advertisement libraries into their apps.
With potentially unwanted apps, developers take someone else’s advertisement library and bundle into their own app.
“Oftentimes they may even bundle several such ad libraries in an attempt to maximise profit. The developer gets some money from each shown or actioned advertisement, so they try to maximise the profits,” he says.
The second main category of bad apps is made up of “malicious apps”, which either directly steal money or attempt extortion.
Such extortion approaches include, says Muttik, using ransomware that encrypts precious photos or scares users that their private or sensitive photographs will be leaked unless they make a payment.
Only in December media highlighted the effects of two malicious apps that took money from users by getting them to authorise a transaction without realising what was happening.
The Fitness Balance app and the Calories Tracker app encouraged users to touch the screen for what was said to be a fingerprint scan. Users would hold their finger down and, in doing so, trigger a payment because the mechanism did not require a double-click.
Fortunately, the apps were reported to Apple and removed from the App Store but, as with the Setup for Amazon Alexa app, it showed that even downloads available through official outlets are not always legitimate.
Indeed, Muttik says that “it is not going to be a problem” for determined attackers to place their apps in the App Store or Google Play despite the vetting that goes on beforehand. This typically includes static analysis (including checking the developer’s reputation, the app history and its similarity to other apps) and dynamic analysis (which involves running an app and observing its actions and network traffic).
Muttik says the security of Android and iOS systems are similar from a technological point of view, so the overall safety of each ecosystem reflects how it is managed by Google and Apple.
It is, he says, more expensive to register as an App Store developer, which translates to a bigger loss for an attacker when thrown out for distributing malware.
In addition, he notes that Android allows installation of apps from third-party stores, although the user has to permit this.
“For these reasons, most malware is created and distributed outside of controlled stores, as free apps for Android in third-party stores. Malware in App Store or Google Play is rarer,” he says.
Researchers such as Professor David Aspinall, a professor of software safety and security from the the University of Edinburgh in the United Kingdom, are making things more difficult still for bad app developers.
“App store owners, including Google, Apple and others, work hard to keep bad applications out. Security companies and universities are developing more advanced techniques for automatically spotting bad code,” he says.
“At the University of Edinburgh, we’ve developed AI-based techniques which learn the differences in behaviour between good and bad.”
One bad app type that users should look out for, says Aspinall, is the “repackaged” version of an ordinary app.
“A repackaged app could be a spoofed version of a very popular application. But we probably don’t see it with the most popular applications, as they are subject to greater scrutiny, and automatic mechanisms watch out for spoofed versions,” he says.
“On the next tier, there may be applications that are more obscure but popular – games, for example. There have been prominent examples of games with duplicate versions in the Play Store which contain malware.”
User ratings can help to identify bad apps – but they have to be looked at carefully because fraudsters can easily give their apps multiple positive reviews.
“For that reason I always recommend to read only negative reviews and base your decisions on them alone,” says Muttik.
Muttik also advises users to pay close attention to the history of the app, such as how new it is, whether the developer has other apps and how they are rated, and the number of users.
“This diligence may feel frustrating and even a bit depressing, but it is better to be safe than sorry,” he says.
Other strategies include waiting several days or weeks after a new app is launched and then checking the feedback from others.
While there are no absolutely foolproof strategies to avoid bad apps, Chothia suggests that users who stick to well-known apps are unlikely to go wrong.
“If someone only downloads well-known apps from companies they know from official app stores, generally they’re extremely safe. If you want to download little-known apps, it’s quite hard to stay safe,” he says.
An additional precaution Muttik suggests is to install new apps on a separate “footbathing” device, such as an old mobile that has had its data wiped and links to debit or credit cards removed. The app can be run on this to test it out.
“Finally, if you are an experienced user and keen to get your hands dirty you can, of course, be more adventurous and check your firewall logs for app communication patterns that raise red flags,” says Muttik.