Fake Applications: Why mobile users can’t judge a book by its cover. (Social Engineering Ep. 2)

The second post from our series on the different mobile security aspects of social engineering covers another major threat, Fake Applications. Fake apps owes much of its success to users’ susceptibility to pressure, repetition and other methods of social engineering.

For our first entry on mobile social engineering – malvertisements – click here.

Fake apps have proven to be one the most significant methods of distributing mobile malware. Attackers can create carbon copies of the entire app, copy the app’s icon or even just attach malware to the legitimate version of the app. Either way, the apps appear to be legitimate, with relevant screenshots, descriptions, user reviews, and videos.

Ultimately, the users never get the app they want, but instead receive one of the many malicious payloads that exist today – starting with a subscription to an expensive SMS service and finishing with a mobile Remote Access Trojan (mRAT)

How Does a Fake App Campaign Work?
Step 1: The user is lured to download the fake app. Malware authors often set up fake websites advertising the fake version of the app. Many of these are shared on rogue websites, but many are also shared on fake Facebook and Twitter accounts that target legitimate users on social networks.

Step 2: Upon installation, the malware often displays a service agreement that the user is required to accept before they can use the app. In other cases, they’ll need to grant the app permissions to access and edit files the real app wouldn’t normally deal with or download an additional file that has nothing to do with the app. Either way, whether the victim realises it or not, they’re getting more (or less) than they bargained with.

Fake Apps vs. App Stores and Market Places

• Official app stores: Thousands of apps are submitted daily to Apple’s App Store, the official Windows Phone store and the Google Play store. All perform security checks before accepting an app but attackers are beginning to learn how to bypass these tests. Essentially, either by inserting code that isn’t actually malicious but will import a malicious payload at a later date (via a malicious ad network for instance) or by using advanced methods of obfuscation – an app can pass many of the security tests performed.
• 3rd party marketplaces. Third party marketplaces, especially in eastern Europe and in Asia Pacific do not scan the apps and fake apps tend to thrive in these markets.

Examples of dangerous Fake Apps:

• Fake Flash Player apps (Backflash Crosate):
  A wave of fake versions of the popular media player from Adobe implement two types of social engineering:
  1. In most cases, once the app is installed, it will either act as an mRAT or sign the victim up to a premium SMS service. The app simply displays an icon with the letter F on a red background (almost identical to the real icon), so most users just ignore it.
  2. In some isolated cases, the app wasn’t malicious and only demanded $5-10 (the official app is free) before disappearing into thin air.

   

  Now that Adobe have incorporated Flash’s functionality into Adobe AIR, it’s no longer available on the Google Play store. Most people have no idea that the app shouldn’t be there in the first place – something attackers are taking full advantage of. As long as the app looks legitimate enough, people will download it.

   

  

• KAGECOIN
  A new Android malware family was recently discovered as having cryptocurrency mining capabilities. Initial analysis shows that it is being distributed within repackaged copies of popular apps such as Football Manager Handheld, TuneIn Radio and Songs. The malware is involved in the mining for various digital currencies, including Bitcoin, Litecoin, and Dogecoin.

  This has real consequences for users: shorter battery life, increased wear and tear, all of which could lead to a shorter device lifespan.

  Hidden both outside and within the Google Play store, the apps that included KageCoin have been downloaded over a million times.

  The apps had been configured so that the mining software would only kick in when the phone was being charged, meaning users can’t spot the obvious battery drain immediately.
  

• Android Express’s Play / Android Express
  Taking fake apps to the next level, this is one of the first examples of a fake app market place – a fake app store named first Android Express’s Play and then Android Express. A fake Google Play site is twice as dangerous than just a single fake app.

  Targeting users in Japan, the fake market’s website claimed that it was run by Google. It sent out malware-ridden emails that look like a newsletter advertising Android apps. It also housed a long list of non-existing apps ranging from a spam blocker, a TV viewer for phones that do not have a TV function, a database for recipes from famous chefs, and a battery discharger app.
  Attempting to download any of the nine apps lead to the same malicious app called Android 専用端末アプ.

  Once the malicious app was executed, an mRAT began to collect personal information, including the device’s phone number and the names and email addresses stored in Contacts, before uploading the data to a remote C&C server.

• Virus Shield
  An app that briefly shot to the top of the charts on Google Play, is nothing but a complete fake. The app includes almost no functionality whatsoever, yet it was briefly a the most downloaded app on Google Play this week. The fact that this wasn’t a free app, but cost 3.99$ shows how effective a social engineering scam it was. “Virus Shield” simply changed a red “X” into a red checkmark, leading users to believe their phones were safe.

  “Virus Shield” claimed that it protected Android smartphone users from viruses, malware and spyware, and that it even improved the speed of phones. It advertised its minimal impact on battery life and its additional functionality as an ad blocker. At only $3.99, “Virus Shield” sounded like a good deal to the tens of thousands of people who downloaded it in less than two weeks.

Fake Apps on other Mobile Platforms

The above examples were all Android based attacks. iOS and Windows Phone are also as susceptible to similar attacks. Both OSs have recently been plagued by similar issues :

Windows Phone

app store has suffered a substantial security lapse. A group of fake apps were only removed a few days ago after cheating thousands of users and demanding a fee for apps that weren’t real.

These weren’t just any apps, but fake versions of several of the most popular mobile apps :

1. Hangouts 2. Google Voice 3. Gmail app 4. Google Search 5. Google+ 6. Google Maps.

iOS

users are also having to deal with fake apps – despite Apple’s app store claiming total security. Members of the Tor anonymity service discovered that a Tor iOS app – “Tor Browser” available in the App Store since November 2013 was a fake and was ridden with adware and malware that collected user data.

The app managed to survive on the app store for around 4 months before finally being removed.

Fake aps pose a significant threat to both private and enterprise devices. We’ll talk about another closely related issue, Impersonation & Scareware, next week.