Threat Spotlight: Malicious Mobile Apps
Keep up your guard this holiday season. Consumers are expected to spend $730 billion on holiday shopping this year, and cybercriminals are hoping to grab a share of that money. While cybersecurity is always a concern, at this time of year in particular, cybercriminals are looking to take advantage of distracted shoppers who let down their guard, especially those using mobile phones. The holidays can lead to increases in a variety of threats; in the busy rush to get good deals, shoppers may be less conscious of who they’re buying from and more likely to miss red flags.
Along those lines, beware of malicious shopping and holiday-related apps, including games. In a recent analysis, Barracuda researchers found hundreds of holiday-related apps that were either outright malicious or introduced the risk of device compromise through adware, excessive permissions, or a dangerous combination of permissions.
Here’s a closer look at the malicious and risky holiday-related apps that were examined, along with tips to protect against them.
Malicious mobile apps — Cybercriminals trick unsuspecting victims into compromising their mobile devices by downloading shopping, game and other apps that are malicious.
Cybercriminals continue to find new ways to capitalize on the widespread use of mobile phones, including tricking unsuspecting users into downloading malicious apps or granting permissions that go too far and create vulnerabilities.
Using Barracuda Advanced Threat Protection (ATP), our research team scanned and analyzed more than 4,200 Android apps related to the holiday season, including shopping apps, Santa video chat, and holiday-themed games.
Using ATP, Barracuda researchers identified hundreds of questionable apps:
- Seven apps exhibited malicious behavior, such as replacing the app with a version downloaded from the Internet via a command-and-control server
- 35 apps contained adware, which displays more invasive and potentially malicious advertisements than standard ad-enabled apps
- 165 apps had excessive or dangerous combinations of permissions
Malicious mobile apps generally target personal information and account credentials. Granting excessive permissions can allow apps to harvest a wide variety of personal information, which can either be sold directly or stored, making it susceptible to being leaked later in the event of a data breach.
Some permissions, while potentially dangerous, can also serve as good warning signs of a malicious app. For example, granting the ability to read SMS messages could be leveraged to intercept multi-factor authentication tokens. Similarly, granting the ability to send SMS messages could be used to send spam or phishing campaigns from your device. Also, granting access to your contacts could potentially harvest targets for spam or phishing campaigns via SMS/MMS, email, or phone
Protecting against malicious mobile apps
Be diligent and avoid getting more than you bargain for when downloading holiday-themed apps by following these cybersecurity tips:
- Check the reputation of every application you download — Look at user reviews (or lack thereof) and how long the app has been around. Be aware of the permissions you’re granting, especially suspicious ones that can put your personal data and contacts at risk, regardless of whether the app itself is malicious. Consider whether granting the permissions make sense based on the nature of the app. For example, a shopping app shouldn’t generally require the ability to read or write text messages or access your phone. Likewise, most simple games shouldn’t require any permissions at all. After you’ve downloaded and installed an app, you can often block specific permissions from the settings.
- Enable parental controls — Be sure parental controls are enabled, to prevent app installs by children before an adult has had a chance to review it and ensure it looks safe to download.
- Look before you click — Follow standard precautions when viewing email, clicking a link, or going to a website. Check the sender and URLs in emails to be sure they are legitimate. Be sure the website address is correct in the URL bar. Look for irregularities in the layout of frequently-visited sites after clicking links to them.
- Shop the website directly — Typing the URL for shopping sites, rather than using in-email link, can also be effective at avoiding fake versions of popular sites. In most cases, clicking the link in an email isn’t required for taking advantage of sale prices and any promotional codes provided need to be entered during checkout on the website.