7 tips for spotting fake mobile apps

You’ve just downloaded a new mobile game, cryptocurrency wallet, or fitness app, but something went wrong. Your phone screen is flooded with intrusive ads, apps don’t do what you expect, and, God forbid, you find unauthorized transactions in your bank account.

Most likely the apps you download are after your money or sensitive information. Given the large amount of data we access through our smartphones, it is not surprising that cybercriminals are targeting these devices, with threats looming mainly in third-party app stores.

According to ESET Threat Report T3 2022, the number of Android threats jumped by 57% in the last months of 2022, driven by a 163% increase in adware and an 83% growth in HiddenApps detections.

Fortunately, you can avoid malware and potentially unwanted applications (PUAs) by being careful and diligent. Our tips below will help you remotely locate potentially dodgy apps, as well as restore your phone to its original state if you download such apps.

How to recognize fake apps

Let’s say you’re looking for what you reasonably expect to be an app with hundreds of millions of users but only find one that, while it sounds like the real thing, hasn’t generated many downloads. If so, then you are most likely dealing with a bogus app.

Indeed, be careful whenever you want to download apps that are the talk of the town these days. Cybercriminals always want to support a spike in the popularity of an application or service in order to push copycat apps into the market. One recent example is a cryptic lot an app trying to ride on the ChatGPT craze and it was launched even before the official app was released.

The same goes for fake updates for legitimate and widely used apps. One such example is the odd case of WhatsApp Pink, the fake color theme for WhatsApp peddled via in-app messages in 2021.

If an app is rated as bad, you may have to grant it permission. On the other hand, the many glowing reviews that all sound pretty much the same should also raise some eyebrows. This is especially true for apps that haven’t been downloaded a million times – many of those recommendations may be the work of fake reviewers or even bots.

Something about the color or logo of the app being used just doesn’t feel right… If you have any doubts, compare the visuals to those on the service provider’s website. Malicious apps often mimic legitimate apps and use logos that are similar, but not necessarily identical.

However, don’t be lulled into a false sense of security just because you recognize the logo of a well-known bank, payment processor or cryptocurrency wallet. Some apps not only abuse legitimate service names, but are also distributed through websites that are spitting images of legitimate sites. Keep an eye on the details – a closer look, including at the URL, often reveals some prizes.

Official site on the left, impersonator on the right (Source: ESET Research)

Websites masquerading as Telegram and WhatsApp (Source: ESET Research)

• Check the “official app” claim again.

In one case documented by ESET research last year, cybercriminals distributed apps for online stores and banks that often didn’t even have apps on Google Play.

When downloading a mobile application that must be associated with a popular online service, make sure that the service actually offers such an application. If so, the official website will contain links to apps in the Google Play Store and/or Apple App Store. Number and variety of dangerous ChatGPT themed apps is a practical example.

• Check the app name and description

Legitimate app developers usually go to great lengths to avoid being seen as unprofessional. This also applies to mundane things like app descriptions – read them all to see if you can spot bad grammar or inconsistent and incomplete details. This often gives a hint that an app is not what it claims it is.

• Check the developer pedigree

Also tread carefully when dealing with apps from unknown app developers with no track record in app development. Don’t be fooled by bell-ringing names, either – makers of fraudulent apps may misuse names of legitimate and well-known entities. Double check if the developer has other apps under their name and if those apps are reputable; if in doubt, google the developer’s name.

• Look for redundant app permissions

Last but not least, stay away from apps that require excessive user permissions – that is, the kinds of privileges they don’t really need to do their job. The flashlight app requires almost no admin privileges and access to core device functionality.

7 ways to know you’ve downloaded a risky app

Here are some signs that your newly installed app may be incomplete:

• The application is not doing its job

For example, in 2018 ESET researchers analyzed a series of apps that were supposed to be security solutions, but all they did was show unwanted ads and offer pseudo-security. They just emulate basic security functionality with a very primitive security checker that relies on some trivial hardcoded rules. As a result, they often detect legitimate applications as malicious and create a false sense of security in victims.

If your new “game” turns out to be a gambling platform, something’s wrong. Check again what exactly you have downloaded.

Is the app exhibiting strange behavior, such as starting up, closing, or failing completely for no apparent reason? This is one of the most obvious signs that you may have downloaded a dodgy app.

• You incur unforeseen expenses

If you see unwanted charges on your credit card or phone bill, it could be due to an app you downloaded recently.

For example, ESET researchers looked at several apps that acted as fitness tracking devices and abused Apple’s Touch ID feature to steal money from iOS users. Once a user launches one of the apps for the first time, it requests a fingerprint scan to “see personalized calorie tracker and diet recommendations”. If the user has a credit or debit card connected directly to the Apple account, the malware will continue to steal money from the victim through fraudulent in-app payments.

Watch out for scams that involve downloading peer-to-peer (P2P) payment services and offering fictitious products and services at a discounted price. Because payments are often instantaneous and irrevocable, you may lose money by paying for something you’ll never receive.

Figure 4. A cryptic iOS app prompts users to scan their finger for fitness tracking before showing a smart checkout

• Weird messages and calls

Another sign of trouble involves malware spamming messages from your phone to your contacts (just like FluBot does). In other cases, your call history or text messages may contain unknown entries due to malware trying to make unauthorized calls or send messages to premium rate numbers.

Is your device battery draining much faster than usual? This may be due to background activity consuming device resources and may eventually indicate that your device has been infiltrated by malware.

If you experience a sudden big spike in internet data usage without any change in your browsing habits or phone usage, it could also be caused by app activity in the background.

• Random ad pop-ups and unknown apps

Malicious apps can install additional apps in the background and without your permission. The same goes for pesky adware that displays unwanted ads on your device. If you see one of these, you most likely need to act fast.

What to do next?

Once you find what you suspect to be cryptic apps, remove them or, better yet, download reputable mobile security software that will scan your device and remove the apps for you.

If you’re going the “manual” route, reset your phone to factory settings (before that, make sure your data is backed up). Or, sometimes you have to boot your device in Safe Mode and then delete the app. This video by ESET malware researcher Lukas Stefanko shows you how:

(embed)https://www.youtube.com/watch?v=dIIDh1AqUKQ(/embed)

Also, do a favor to other potential victims and report the app to the relevant app store where you downloaded the app. You can also try to claim a refund.

Going forward, if you use apps from the Google Play Store, make sure to enable them Google Play Protect scan on your device. You can also check apps that you have downloaded from outside the Google Play Store. To do so, enable “Improve malicious app detection”, which will send unknown apps to Google automatically.

7 tips to stay safe

Finally, some quick tips for staying safe while using your mobile device:

• Stick to Google Play and the Apple App Store; namely, avoid putting yourself at risk by installing apps from third-party stores.
• Do not carelessly click on links sent via social media messages or emails.
• Use two-factor authentication (2FA) on all your online accounts that offer it, especially those containing your valuable data.
• Keep your phone’s operating system and apps up to date.
• Stick to apps whose developers are constantly improving their product and fixing security vulnerabilities and performance bugs.
• Secure your device’s screen with a fairly long and complex passcode or a solid biometric feature like a fingerprint – or, ideally, a combination of the two!
• Use mobile security software.