Cybercriminals make thousands of clones of popular Android and iPhone apps each year. These fake apps are designed from the ground up to perform malicious activities such as data theft, ID theft, account takeover, and fraud. Learning to spot and avoid fake apps is imperative to protect yourself from these dangers.
You may assume that sticking to apps listed on a legitimate app store like Google Play or Apple Apps will offer you sufficient protection. The reality is that hundreds of fake apps manage to slip through the net each year – catching people off guard and leading to potentially life-changing device takeovers.
The most dangerous fake apps appear to work like the real deal but are secretly trojans that allow hackers to send data back to a command-and-control server. These apps can allow hackers to get root access to your device, use your Facebook account, turn on your camera or microphone to spy on you and steal data or money.
Fake apps can even allow hackers to install secondary packages such as keyloggers to steal all your passwords. They may remain hidden on your device for months, slowly gathering the data they need to ruin your life.
What is a fake app?
A fake app is designed by a cybercriminal to look like its genuine counterpart. The apps are carefully cloned to perfectly impersonate the real app you need. The malicious app could be posing as Facebook, WhatsApp, Twitter, eBay – or just about anything else you can think of.
Once installed, the fake app successfully replicates the function of the genuine app. This makes it hard for the infected user to know they have been infected. It allows the hacker to gain a foothold in the victim’s device long-term while remaining undetected.
Once the fake app has been installed, it could perform any of the following tasks:
- Monitor your online activities
- Install malware
- Show annoying ads
- Steal personal information, including passwords
- Perform account takeovers
- Engage in identity theft or fraud
What kinds of apps are commonly faked?
Unfortunately, there is no hard and fast rule. Cybercriminals will happily fake any app they believe people are likely to install. Hackers understand that the more popular an app is, the more likely it is that numerous people will download it. This results in many different apps being maliciously cloned:
- Fake social media apps
- Fake shopping apps
- Fake browsers
- Fake antivirus apps
- Fake games
- Fake utilities
How do I become infected with a fake app?
The most common method for infecting people is via non-official third-party app repositories. These free app repos often offer free pirated versions of apps that prey on people looking to save a few dollars or avoid official app stores. Unfortunately, downloading apps from these websites massively increases your chances of being infected with a fake app.
Some cybercriminals even register as official developers for genuine app stores like the Apple App Store, Google Play Store, Microsoft Store, Amazon App Store, Samsung Galaxy Store, Huawei AppGallery, and LG Content Store.
Once they have successfully registered, fake app developers will upload cleverly designed fake apps that appear to be fun games, device clean-up utilities, or other useful things such as a torch app that leverages your smartphone camera’s flash.
The important thing to remember is that although Google says it checks and verifies all apps on the Google Play Store, hundreds of malicious apps still make it through the net. Leading cybersecurity firms constantly discover fake apps that have already infected thousands, if not hundreds of thousands of users. When this happens, Google responds as quickly as it can by removing those dangerous apps.
Other hackers use social engineering techniques to distribute their fake apps on popular platforms like Twitter, Instagram, Discord, and Facebook. These types of social campaigns are effective because they cause people to not only install a fake app on their device – but also to advertise the seemingly popular fake app to their friends and followers. This leads to many thousands of people becoming infected quickly.
What are the different types of fake apps?
Most fake apps fall into one of two categories: counterfeit or cloned.
Counterfeit apps
These apps are written from the ground up by cybercriminals, meaning that they have no direct relation to the original. Counterfeited apps rely on stealing the design elements and logos from the original application to make the fake app appear to be the real thing. Because counterfeit apps are completely homemade, it is possible that (when compared to the original) they could be a bit buggy, lack features, or include obvious spelling errors or other mistakes.
Cloned apps
These apps are faked by stealing the code from the original app and using it as the basis of the fake app.
Of course, the fake version will have additional malicious code injected into it. This allows the hacker to engage in nefarious activities such as spying and data theft. Some repacked apps may not necessarily be dangerous. Some are simply designed with additional adware, meaning they serve ads to create a revenue stream for the cybercriminal who cloned it.
What do fake apps do?
Cybercriminals make fake apps for a variety of criminal enterprises. Below, we have included the main applications that hackers develop fake apps for. Some are more dangerous than others. However, it is important to avoid all classes of fake apps to keep your devices running smoothly and to avoid privacy or security threats.
1. Ad bots
This is the least nefarious of all fake apps, however, it can still cause a massive headache. Fake ads that contain adware and ad bots will serve you a large number of ads. This can slow down your device, make your battery drain faster, and cause you to burn through your mobile data allowance. It will also cause frustration by making apps appear constantly not only in the primary app but potentially also in other apps and within your browser. This will turn your experience into an add-filled nightmare.
2. Botnet
Some fake apps are designed to add you to a botnet. This enrolls your device into a network of bots that work together for their criminal masters. A fake app connected to a botnet will leverage your device’s processing power and memory to carry out tasks such as mining cryptocurrencies, sending spam, or engaging in DDoS attacks. The result is a smartphone or tablet that takes ages to do anything and is constantly suffering from a drained battery.
3. Spyware
These fake apps are designed to spy on your phone. They can leverage your GPS to find out where you are, may send information about your daily movements to hackers, allow hackers to access your contacts, photos, and other personal data, monitor your web visits, and even allow hackers to look through your camera and listen through your microphone.
4. Phone call and messaging fraud
Some fake apps allow the attacker to charge phone calls and SMS messages to your smartphone bill. If you are on pay-as-you-go, all your allowance could suddenly disappear because it has been used by a hacker. However, if you have unlimited minutes and texts, then the attacker may use your minutes and texts to carry out additional criminal activities. In some cases, criminals could make premium purchases that are automatically charged to your phone bill.
5. Inappropriate content
Some fake apps are designed to provide access to inappropriate or hostile content. They could be used to spread hate speech, adult content, or other inappropriate content that makes it difficult to use your phone without being barraged with disturbing popups and links.
6. Downloaders
These fake apps don’t contain anything nefarious, which allows them to more easily get around malware detection systems. Once installed, however, they communicate with a server controlled by the hacker to download other malicious applications and packages.
7. Phishing forwarding app
These fake apps are designed to direct you to a phishing site or contain forms (including fake payment forms) that forward your information to hackers. These types of apps are there to gather your important personal data to engage in identity theft and fraud.
8. Ransomware
These fake apps lock up your system and demand a ransom payment to unlock your device. The device and all of its contents become unavailable until you provide a payment (usually in a cryptocurrency like Bitcoin) to the hacker.
9. Trojans
Trojans are malware disguised as legitimate programs or files. Trojans can usually perform a combination of nefarious activities listed above, giving hackers root access to your device to use it as if it belonged to them. The Trojan will steal your data and send it back to a command-and-control server and may install additional packages to spy on you and give hackers access to your passwords and accounts. Banking Trojans provide hackers with everything they need to empty your bank account.
How do I spot fake apps and avoid them?
Learning to spot fake apps and avoid them is vital if you want to protect yourself. Below, you will learn how to identify fake apps and what to do to avoid becoming infected.
Avoid unofficial app stores
The easiest way to avoid fake apps is to avoid third-party app stores as much as possible. While it may be tempting to download free apps, it is a good idea not to head into your phone’s settings to switch on “Allow apps from unknown sources”.
Sticking to official app repositories means you are more likely to find safe apps and don’t need to carefully check comments to see whether an app is legitimate. Remember that even if an app has positive comments on an unofficial app repository, it could have been manipulated to look that way by the hackers.
Check the app’s reviews
If you are already being sensible and sticking to official app stores like Google Play, then you are infinitely safer. However, you still need to be careful. Before downloading an app, check the reviews to see what people are saying. If an app has a low star rating – or many complaints – it is a good idea not to install that application.
Check how many times it has been downloaded
Popular apps will usually have been downloaded many hundreds of thousands if not millions of times. If an app has only been downloaded a few thousand times – or less – then this is potentially a warning sign that it is a fake app.
Remember that some fake apps go viral and are downloaded many times due to a successful social engineering campaign. So even if an app has been downloaded many times, you should still be wary and check for other signs. If in doubt check the reviews and online to see whether the app has a good reputation.
Check the app listing for spelling mistakes and grammar errors
Professional app developers will usually check that their app is listed on app stores using proper grammar without mistakes. If an app listing is badly written and has errors, this is a reason to stop and check whether the app is legitimate. Poor app listings and errors within the app itself don’t necessarily mean it is fake – but they are a reason to check online to see whether people are expressing concerns. If you are suspicious, do a quick Google search or check on Reddit to see what people are saying. If you have already installed an app that contains errors, consider removing it until you are sure it is safe.
Check the app developer’s reputation
Each app is listed by a specific developer. If a developer is independent, or new, it is vital to do some research to check whether they appear to be legitimate. We recommend you carry out a Google search for the developer’s name.
Cunning cybercriminals are known to use a similar name to that of a real developer (they may spell it with just one different letter, for example). So be sure to check the spelling of the developer’s name carefully. If you find a genuine app developer with a similar name, this is a strong sign that the app developer is trying to trick people.
Check when the app was published
If an app was published recently, but is for a service you would expect to have been around longer this can be a dead giveaway that something untoward is happening. In addition, fake apps may sometimes have hundreds or thousands of reviews despite only having been published recently. If an app has a lot of reviews – but is brand new – it is likely that these are fake comments and reviews created by a bot farm.
Check app permissions carefully
Dodgy apps usually require all sorts of permissions that aren’t needed for the app to perform its functions. If an app asks for access to your photos, contacts, GPS, or other personal information then this could be a sign that the app is malicious.
We advise that you always review app permissions when you install new apps, and if anything makes you uncomfortable, then don’t install it. For example, there have been cases of torch apps requiring access to GPS, photos, and contacts – a torch app shouldn’t need to access anything other than the camera’s flash.
Check whether the app has received updates
Legitimate app developers will continue to update and improve their apps. This includes updating the app to ensure it is secure and free of vulnerabilities. On the other hand, an app that is updated an unusual amount of times could be dodgy or suffer from many vulnerabilities. If the app updates seem suspicious, then do some additional research.
Check the logos and icons
Fake apps will clone the logos of legitimate counterparts. If the logo seems low quality or there is anything suspicious about the logo when compared to the legitimate logo, this likely means that the app is fake.
How to protect yourself from fake apps
If you have already installed a suspicious app and are experiencing symptoms such as a slow device or annoying ads, then we recommend that you remove any recently installed or unused apps. Deleting old apps that you don’t use reduces the chances that you will have dodgy apps on your device. If you do become suspicious of an app on your device follow these steps:
- Locate the app on your device and uninstall it
- Restart your phone or tablet
- Install an antivirus and scan your device for any remaining problems
- Report the fake app on Google Play or Apple Apps to protect other people
Below, we will provide additional advice designed to protect you from fake apps. By following these operational security practices you will have a much healthier and safer device:
Don’t install apps unless you are sure you need them
When it comes to app safety, the best advice is to abstain from installing them. This will massively improve your online privacy and device safety.
Some people think it is fun to scroll through app stores and install many different apps. We understand that this can seem like a fun way to pass the time. However, it is also the easiest way to end up with dodgy apps with invasive permissions, or worse yet fake apps.
The best way to keep your devices safe is to stick only to high-quality apps you need. This will cause you to install fewer apps, and reduce your exposure to risky apps.
Don’t install apps from unknown sources
Some apps require you to enter your menu and accept apps from unknown sources. If you are considering installing an app that requires this kind of permission, consider why the app is asking you to bypass your device’s security settings. Only proceed if you are 100% confident that the application is safe.
Search for apps by going to the app developer’s official site
If you already know exactly which app you want to use, head to the app developer’s official site and look for a link to its app there. This should forward you to the official app listing in Google Play or Apple App Store, which will ensure you get the latest version of the official app.
Don’t click on links in messages or emails
If you have received an email, SMS message, or social media message that encourages you to download an app, be extremely suspicious. Following links in messages is the easiest way to be forwarded to fake app listings, phishing websites, and malicious sites designed to infect you with malware.
Install an up-to-date antivirus for your mobile device
Nowadays the number of viruses and malware variants circulating online is higher than ever before. This makes it essential to use reliable security tools designed to protect your mobile devices. First and foremost, we recommend using a reputable antivirus with real-time protection.
This will constantly scan anything you download and warn you if you are attempting to install anything dangerous. It will also allow you to regularly scan for malware, spyware, ransomware, trojans, and other malicious applications.
We also recommend privacy-enhancing browser extensions, such as uBlock Origin, Privacy Badger, and No Script. Some VPNs include DNS-based blocking that stops you from visiting malicious sites.
Related: