7.17.19 – SIW
Amazon’s Echo smart speakers were hot-selling items during the 2018 holiday season. Echo connects to the Alexa Voice Service to listen to and execute spoken commands to play music, answer questions, initiate phone calls, and much more. Thousands of new Echo owners went to the Apple App Store and downloaded an Alexa setup app for their iPhone or iPad, but were disappointed to learn it was not legitimate. The fake Alexa app from One World Software looked real initially, then intentionally engaged users for as long as possible just to show them ads. Fortunately, it did not appear to steal their truly sensitive data, even after asking for their IP address and Echo device serial number.
After numerous complaints, Apple removed the app from its store. Still, this incident left a black eye on Apple, which allowed the bad app to be posted in its store, as well as on Amazon. The Alexa brand was also abused despite Amazon not having any affiliation with the fake app. Unfortunately, users were duped into believing the app was really part of the Alexa setup process which lead to negative reviews on the product.
Counterfeit applications are a significant problem, not only for unsuspecting consumers who are deceived but also for developers of legitimate apps whose customers interact with rip-off clones of their software. Fake apps are big business for malicious actors, especially if they can leverage the brand and customer base of a well-known company. The fake Alexa setup app was downloaded so often that it placed 60th on the top free apps section of the entire App Store, and it attained the sixth position on the top ten list for utilities before being removed.
Fake Apps Can Be Lucrative For the Perpetrators
Counterfeiters make money off their fake apps in a number of ways. One is to corrupt a real app with ad injection or click bait. Users who download the aberrant app get bombarded with ads that amount to a cash grab for the bad guy. Other more nefarious actions by counterfeit apps include spying on users, stealing their login credentials, or stealing money or account information. By logging usernames and passwords, criminals can then use them for identity theft or sell them on the Dark Web. Fake apps are also known to request excessive permissions to access a user’s information such as contact list, personal photos and location.
In 2018, a rash of fake banking apps made their way into the Google Play store. The malicious apps impersonated the brands and identities of three different Indian banks. The apps phished for credit card details and customers’ banking credentials using bogus forms, and the stolen data was leaked online in plain text via an exposed server. Hundreds of bank customers fell victim to these apps, putting them at risk for identity theft and fraudulent transactions.
Hundreds of App Stores Around the World
Apple and Google do have some level of security and validation checks on apps that are uploaded into their stores. However, as demonstrated in the examples above, they are not successful at screening out all bad apps. But counterfeit apps are a worldwide problem, showing up in hundreds of app stores around the world. Large organizations with a global brand might have their apps hijacked and corrupted, and then uploaded to any of these regional app stores.
The Chinese market is a particular challenge for legitimate app developers. Google Play is not permitted to operate in China, which has a market of 1.3 billion consumers. A large brand that wants to reach that customer base has to leverage third-party app stores to distribute its apps within China and neighboring countries. Those local app stores, however, have little governance over the apps they host, making it easy for fraudsters to corrupt a legitimate app and re-publish the counterfeit version.
Third-party app stores hosted in Europe can reach into the Middle East and Africa, and they too have little oversight over what gets posted. The United States, where Apple and Google operate the dominant stores, has the world’s second largest consumer base of third-party app stores, coming in behind China. Make no mistake, these third-party stores are important for reaching a worldwide consumer base, but they make it hard for a large brand to monitor and control the conditions of their legitimate apps.
The Types of Counterfeit Apps
There tend to be two primary types of counterfeit apps—clones and brand fakes. A cloned app is one where someone has taken a legitimate version of an app and republished it without permission on a third-party app store. In some cases the app has not been tampered with, but merely published somewhere unknown to the real owner under the wrong publisher ID. More likely, however, is that the counterfeiter has modified and corrupted the app in one of the ways described above, and the real brand owner has no idea this malicious app is somewhere in the public domain. Consumers see the brand name of the altered app, interact with identical functionality of the original app, and assume it is legitimate.
In the case of brand fakes, or brand abuse, the app begins life as a fully fake product, as in the case of the Alexa setup app distributed by One World Software. The real brand owner has never had any association with the app, except that it is made to look like it came from that company. It is the digital version of a counterfeit Rolex watch or Chanel handbag. And as with the clone apps, brand fakes can be made to do all sorts of nefarious things.
Regardless of the type or origin of a fake app, the potential exists for damage to the real brand. When customers are duped, they may be hesitant to use real mobile apps from that brand again. The company can suffer reputational damage or be liable for fraudulent transactions that occur when login credentials are stolen. Companies work hard to establish value in their brand, and malicious actors can tear it down overnight.
Automation is needed to find and take down fakes
Finding and taking down counterfeit apps can be a real challenge, given that there are more than 300 app stores worldwide and the list is growing. What’s more, screening for fake apps is a never-ending problem, likened to a game of Whack-A-Mole. Find one app and take it down and another pops up in its place. Each app store has its own take-down process, making it a time-consuming activity for brands to manage on their own.
The best approach to monitoring for fake apps in third-party stores, as well as on Google’s and Apple’s official app stores, is to use a tool or system of tools that can automate the process of continuously scanning for clone apps or brand abuse apps. The fake brand apps can be especially tricky to identify because they often use some variant of a real brand’s logo or look-and-feel. In such cases, machine learning and sophisticated algorithms can identify markings that closely approximate a brand’s real logo and other attributes. Run-time binary analysis and comparison to a known authentic application is another important technique to ensure that the cloned application has not been modified in a way that is difficult to detect using hidden and obfuscated approaches.
Brand managers will need these tools to keep pace with the number of occurrences of fake apps spread across the dozens of app stores, and to continuously scan for abuse of their brands. Typically the tools can automatically find the apps and notify the brand manager, who can make a take-down decision. Then the take-down process can be automated as well. This is the only practical way forward to prevent app brand abuse on a global scale.
About the Author:
Richard Smith is a Director at Data Theorem. He works with security professionals and developers across different size organizations to better understand market trends and needs around mobile app security, mobile app fraud and API security. Before joining Data Theorem, Richard worked for Cisco Systems helping different organizations develop security solutions across many different areas of technology including network security, cloud security, data center security and identity management. Prior to Cisco Systems, Richard worked as an entrepreneur and technology influencer at collaboration leader TANDEBRG and virtualization startup RingCube Technologies. Richard earned a B.S. in Management Information Systems from San Jose State University.