Australian researchers have found more than 2000 potentially fake apps on Google Play that hackers are using as trojan horses to steal personal information from users.
The fake apps impersonate popular apps for everything from photo editing to personal finance tracking and exercise monitors and contain malware that could lead to identity theft.
Five researchers from the University of Sydney and the CSIRO’s data and digital specialist arm, Data61, spent two years analysing more than a million Google Play apps as part of a two-year cyber security project, and discovered 2,040 potential counterfeit apps.
While that seems like a small proportion of the total, the fact that the most commonly counterfeited apps included popular games such as Temple Run, Free Flow and Hill Climb Racing makes the potential impact far more damaging. The study also found that several counterfeit apps request dangerous data access permissions despite not containing any known malware.
School of Computer Science academic and cybersecurity expert Dr Suranga Seneviratne said Google Play’s open app ecosystem meant the the barrier to entry was low, making it relatively easy for fake apps to infiltrate the market. The Google Play Store hosts more than 2.6 million applications.
“Many fake apps appear innocent and legitimate — smartphone users can easily fall victim to app impersonations and even a tech-savvy user may struggle to detect them before installation,” he said.
“While Google Play’s success is marked on its flexibility and customisable features that allow almost anyone to build an app, there have been a number of problematic apps that have slipped through the cracks and have bypassed automated vetting processes.
“Our society is increasingly reliant on smartphone technology so it’s important that we build solutions to quickly detect and contain malicious apps before affecting a wider population of smartphone users.”
The paper, A multi-modal neural embeddings approach for detecting mobile counterfeit apps, was co-authored by Jathushan Rajasegaran, Naveen Karunanayake, Dr Ashanie Gunathillake, Dr Suranga Seneviratne and Dr. Guillaume Jourjon and was published in the Proceedings of The World Wide Web Conference 2019.
In the wake of the findings from the research team, Dr Seneviratne released the following tips on how to avoid being hacked by counterfeit apps
Do your homework
If you want to try out a new app, find out which platforms and countries it has officially been released in. Counterfeiters may target countries or platforms where some popular apps are yet to be released.
Be mindful of cross app market counterfeits
One common trap that you might fall into is downloading an app on Google Play that has only been released on the Apple Store. Always check to see if an app has been released on both platforms before downloading.
Read the app description and check metadata
Read the app description carefully and check the available metadata, such as the developer information, number of downloads, release date, and user reviews before any installation. For example, a Facebook app with only 100,000 downloads would be an immediate red flag as the authentic Facebook app would instead have billions of downloads.
Stick to official app stores
Do not install apps from non-official app stores or just by searching online.
Carefully check the permissions requested by the app
One possible way to understand an app’s behaviour is by understanding the permissions requested by apps. See whether the permission requests make sense by asking questions like, “does this app really need to access my SMS”?
Regularly update your operating system and remove any apps you no longer use
It’s crucial that you keep your operating system up-to-date so that even if you do accidentally install a malicious app, it will not be able to bypass your smartphone’s security system.
About the research
The research has been partially funded by the 2017 Google Faculty Rewards grant, the 2018 NSW Cyber Security Network’s Pilot Grant Program, and the Next Generation Technologies Program. The authors would like to thank VirusTotal for kindly providing access to the private API that was used for the malware analysis in this paper.