Smartphones are motivating targets for cybercriminals. Mobile devices today hold personal and monetizable data such as login credentials, financial information and company secrets — not to mention spy-friendly sensors such as microphones, cameras and location electronics.

Unsavory actors gain access to phones through breaches, physical access to the device or, increasingly, by hiding code in mobile apps that “phones home” and sends target data back to the perpetrator. This method is especially attractive for criminals because users are in control of app installations and physically carry phones right inside company firewalls.

How to Recognize App Fraud

Malicious exfiltration often originates in fraudulent apps. The Slovakian cybersecurity company ESET recently discovered six fake banking apps on the Google Play store, according to Reuters. The developers spoofed banking apps from financial institutions across multiple countries and stole credit card details and login credentials.

Trustlook Labs also discovered an Android Trojan hidden inside an app called Cloud Module, which obfuscates its existence to evade detection. The app stealthily steals data from mobile messaging apps, including Facebook Messenger, Twitter, Viber and Skype.

Fraudulent apps are often found in legitimate app stores, but an entire fraudulent app store recently emerged, according to Talos Intelligence. Called Google Play Market, the app was designed to mimic the actual Google Play Store. It tries to trick users into asking permission to gain administrator privileges and access settings, passwords and contacts.

Second-Guess the Popular Mobile Apps

According to GuardianApp, researchers discovered a series of legitimate and even popular apps extracting data. The No. 1 mapping app for finding gas prices, which claims 70 million users, and the No. 2 weather app were among the apps that contained the exfiltration code.

At least two dozen of these iOS apps were sharing location data (GPS, Wi-Fi and Bluetooth location) with companies that sell location information without the knowledge or permission of users. Some apps also shared other data, including browser histories, accelerometer data, cellular network name, GPS altitude and speed, and other data.

The firms selling the data are reportedly paying developers to install code that collects information, which they often say is used in an aggregated and anonymized form for market research services. To the app developers, it’s a way to monetize their apps. Many of these apps have even explicitly said location data will not be shared.

Understand the Threat

Far too often, these apps escape scrutiny because they sound so harmless, but it could be dangerous to underestimate their damage. Let’s say, for example, that an exfiltration app harvests only anonymized location data. What could be the harm in that?

A popular app could be used by dozens, hundreds or even thousands of users within one organization. By analyzing the location data, it would be easy to discover that some number of victims work at a specific company, because many of them spend their days in the company building.

All those users could fall victim to phishing attacks designed to target employees of that company. Further, those anonymous users at that company could be scrutinized based on where they live, which employees spend time together, what their hobbies are, whether they have children, where they shop and other data, based purely on where they go and when.

When personal information is used to construct victim profiles, phishing attacks can be far more effective. For example, let’s say 20 people at a company are found to be the parents of kids at a specific school. Scammers could blast the entire company email roster with an urgent message that sounds personalized because it specifically mentions both the company and the school, and maybe even the principle of the school. Although a generic phishing attack will likely have a relatively low success rate, a small number of those parents are sure to be duped, if only for a second. But that’s all it takes; once clicked, the payload is delivered and the damage begins.

Why You Should Invest in UEM and User Education

Although all of the malicious apps mentioned above have been removed from their app stores, as with most security threats, they were discovered only long after the damage was done. Two key actions are required to head off future risk from exfiltration apps.

First, adopt a unified endpoint management (UEM) solution that leverages artificial intelligence to spot anomalous and potentially malicious patterns. This should provide a safety net when human judgment fails.

Next, educate employees on how to spot apps that may contain exfiltration code to get ahead of human error. Data thieves are counting on user ignorance. In your training, be sure to include the following mobile security tips:

  • Discourage anyone in the organization from installing obscure apps, since they are more likely to escape app store scrutiny.
  • Avoid apps that are highly rated but have a small number of downloads, since fake accounts and bots can be used to inflate ratings.
  • Fake apps often have similar logos to the ones they’re imitating, but can contain typos in the descriptions and other telltale signs.
  • Always check the “Details” under app permissions before installation to see what permissions will be requested.
  • User agreements can sometimes reveal nefarious intent. If the end user license agreement (EULA) for a flashlight app asserts the right to use location and other irrelevant data, be suspicious.
  • Finally, do a search on the web for the name of the app to you intend download to see what other users and organizations are saying about it.

The arms race between threat actors and enterprise security professionals will continue, and it’s an uneven playing field. A malicious actor only needs to find one innovative way inside the organization. A security professional needs to guard against all possible attacks.

We can’t know exactly where the next attack will come from — but we do know that smartphone apps are among the best ways to smuggle payloads into an organization. As these threats proliferate, organizations will need to learn how to recognize app fraud on the fly and proactively defend against malicious applications to keep their data, employees and customers safe.

More from Endpoint

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…