Fake mobile apps can be extremely harmful to organizations and individuals alike. While they’re commonly used as conveyors of adware and malicious software, they’re also often used to covertly track user behavior and steal sensitive personal and financial information.
The ramifications here are pretty clear. For businesses, fake apps may impact brand safety, ad revenue, and mobile security. For individuals, they offer poor user experiences and have an elevated risk of identity theft and data privacy violations.
This article briefly covers the basics, including what fake apps are, how they work, and the two main types of fake apps. Then, we discuss the associated risks and how app intelligence solutions designed for mobile security, like those we offer at 42matters, can be used to detect them.
Here’s what we cover (click the links to jump to the corresponding section):
- What Are Fake Apps?
- How Do Fake Apps Work?
- Types of Fake Apps
- Risks Associated with Fake Mobile Apps
- How to Detect Fake Mobile Apps
Ready to start detecting fake apps with app intelligence? Let’s chat!
What Are Fake Apps?
Fake mobile apps are deceptive applications meticulously designed to resemble genuine apps. They’re developed by cybercriminals and scammers to be mistakenly downloaded by users searching for particular apps on app stores. Once downloaded, they might deploy malicious software, covertly track user behavior, display intrusive advertisements, or even execute sophisticated schemes to steal sensitive personal and financial data.
From the perspective of fraudsters, mobile devices are particularly attractive targets since they tend to contain highly personal information. Additionally, it’s often extremely difficult to identify and prevent infiltrations on mobile devices.
How Do Fake Apps Work?
While fake apps may be found on unauthorized app marketplaces or alternative app stores used for sideloading, main app stores are by no means fraud free. Indeed, despite rigorous security protocols, these stores tend to be the most common distributors of fake apps, with cybercriminals posing as developers, infusing genuine apps with harmful code, and uploading the corrupted versions to app stores.
Fake apps may also spread via social engineering tactics. For example, scammers might impersonate reputable entities via email or text to lure individuals into downloading their fraudulent apps. These publishers disguise themselves as banks, credit card companies, or popular brands. In some instances, they even portray their communications as iOS, Android, or security updates.
Types of Fake Apps
Broadly speaking, fake apps fall into two categories: Counterfeit Apps and Repackaged Apps. Let’s quickly touch on both:
Sometimes referred to as copycats, counterfeit apps imitate legitimate apps by deceptively using their visual and design elements (i.e. logos, screenshots, and overall look and feel) to trick users into downloading them. Moreover, their names might differ only slightly from the apps they’re spoofing, making them appear credible at first glance.
In some cases, where developers have released open-source versions of their apps, it’s relatively easy for fraudsters to take the source code, modify it, and re-release the app. Typically, these modifications include the integration of aggressive advertising capabilities (for instance, via ad network SDKs), which can be a nuisance for end users. While modifying open-source apps isn’t necessarily illegal, the insertion of ads can detract from the user experience and rob the original developer of revenue derived from their app.
Risks Associated with Fake Mobile Apps
Fake apps are often fairly benign. Perhaps the most common scam is to lure users in, bombard them with advertisements, and collect the ad revenue they generate. However, some examples are far more pernicious; and while they don’t always impact individual users to such a large degree, they can be devastating for large organizations and enterprises.
In this next section, we’ll take a closer look at some common scams that leverage fake apps and explain the dangers they pose to businesses and end users alike. We’ll focus on the following:
- Rooting Malware
- Billing Fraud
- Malicious Downloaders
- Phishing Attacks
- Unauthorized Access
Need help spotting fake apps? Learn about our security-focused mobile app intelligence datasets!
As alluded to above, adware-infected apps are repackaged versions of legitimate apps laden with unexpected ads. This leads to intrusive advertising experiences even in apps that typically do not contain ads.
To put a finer point on it, adware impacts users by disrupting their app experience with intrusive and unwanted advertisements, potentially compromising device performance and user privacy.
Spyware apps secretly transmit personal data such as texts, call logs, emails, and location information to unauthorized third parties. From an enterprise standpoint, spyware can severely compromise security by illicitly transmitting sensitive corporate data and employees' personal information to unauthorized third parties.
This category includes apps that encrypt your data, making it inaccessible, and then demand payment for its release. Ransomware can critically disrupt enterprise operations by encrypting vital data and demanding payment for its release, potentially leading to significant financial loss and operational downtime.
While not all rooting (or jailbreaking) is malicious, some apps perform this without user consent, potentially compromising device security. This exposes end users and organizations to further malicious attacks and may even void device warranties.
These scams involve unauthorized charges being made through your phone, such as automatic subscriptions, premium SMS charges, or unauthorized in-app purchases. Billing fraud can inflict financial losses on organizations through unauthorized charges on company-owned devices, complicate expense management, and inflate operational costs.
Malicious apps may covertly enlist your smartphone in activities like distributed denial-of-service (DDoS) attacks, cryptocurrency mining, or mass spamming without your knowledge. Botnets can compromise organizational network integrity and resources by covertly enlisting company devices in malicious activities like DDoS attacks, leading to network disruption and potential legal and reputational repercussions.
While not inherently harmful, these apps trigger the download and installation of other software onto your device without your consent. Malicious downloaders can undermine organizational cybersecurity by facilitating malware infiltration into the network, escalating the risk of data breaches and system compromises.
Fake apps might prompt you to enter sensitive information under pretenses or redirect you to malicious websites that steal your data. Phishing attacks through fake apps can lead to significant data breaches within organizations, exposing sensitive corporate information and endangering customer trust and company reputation.
Apps that engage in privilege escalation exploit vulnerabilities to gain unauthorized access or disable security measures on your device. Apps facilitating unauthorized access can expose businesses to internal and external security threats by compromising critical systems and sensitive data, potentially leading to unauthorized data manipulation or theft.
How to Detect Fake Mobile Apps
In any case, fake apps are hazardous. The question then is, how can you spot them? Unfortunately, there are no dead giveaways. Instead, you’ll need to inspect several elements — from user reviews to download counts, developer details, permissions, tech stacks, and more — and come up with a best guess. This is especially true if you’re trying to detect fake apps at scale and don’t have the time to perform in-depth app audits.
This is where 42matters comes into the picture. Many organizations use our app intelligence APIs and file dumps to spot fake apps since they provide programmatic access to app data from 20M+ apps across 12 leading app stores. However, you can also use the 42matters Explorer, our flagship app market research platform. And since it has a visual and user-friendly dashboard, we’ll use it to demonstrate some critical app auditing techniques.
Here’s what the platform looks like:
With this dashboard, you can browse millions of apps, games, and publishers and access a variety of helpful insights and analytics to detect fake apps.
In this section, we’ll discuss a number of clues that indicate an app may be fraudulent and show you how our app intelligence solutions can assist in scaling this process up.
Here’s what you should be looking at:
- App Icons, Titles, Descriptions, and Metadata
- App Details and Specifications
- User Ratings and Reviews
- Developer Details
- Download Counts
- Release Date and Developer Updates
- Required Permissions
- Integrated SDKs
App Icons, Titles, Descriptions, and Metadata
Let’s begin with the low-hanging fruit. Review app icons, subtitles, descriptions, and other metadata elements for any red flags. For example, genuine app developers typically ensure their app descriptions are free of spelling and grammatical errors. While an occasional error is to be expected, frequent language mistakes are a major red flag.
Likewise, imitation apps may use icons that closely resemble those of legitimate apps, particularly in the case of popular games. Exercise caution and look for any signs of distortion or lower quality in the icon that might suggest a fake.
With 42matters, you can quickly analyze all the relevant metadata in one place. Check it out, here are the app details for the Android version of WhatsApp in the Explorer:
App Details and Specifications
Next, validate suspected fake apps. Often, all it takes to spot copycat apps is to audit app IDs, Track IDs, and Bundle IDs. You can find this information on the Explorer here:
You can even double and triple verify apps via app certificate verification, APK file verification, and developer verification. With 42matters, you’ll be able to analyze all of this, as well as the following:
- APK/IPA Resources and File Structures
- Signing Certificate Hashes (SHA-1, SHA-256, and MD5)
- APK File Hashes (SHA-1, SHA-256, and MD5)
- Static URLs
Download our security datasheet to learn more!
User Ratings and Review Sentiment
Be cautious of apps that have poor ratings and numerous complaints from users. Conversely, an excess of glowing reviews can also be suspect, as creators of fraudulent apps may fabricate reviews to lure in unsuspecting users.
For example, an app with an average rating of 1.4 stars, based on 1,000+ total reviews, is a good blacklist candidate since the number of reviews lends credibility to the app’s low star rating. Likewise, an app with an average rating of 5 stars, based on 10 total reviews, is belied by the fact that the number of reviews don’t lend credibility to the star rating. Indeed, most legitimate apps occupy the happy middle. Take WhatsApp for instance. It has an average rating of 4.09 stars based on 185.6 million reviews. While this isn’t a perfect rating, it’s still extremely good; and, more importantly, it's backed up by a ludicrously high review count.
Aside from average rating and rating count (i.e. how many times users have rated an app), the 42matters Explorer provides a glance at review sentiment:
It depicts the percentage of positive reviews versus negative reviews for various topic clusters ranging from ‘General Feedback’ to ‘Privacy & Security.’ You can also use our Reviews APIs to access full text reviews for critical apps.
Interested in building a sentiment report based on custom topic clusters relevant to your business? Set up a meeting with our team!
App and Developer Details
Conduct an online search on the developer's name to gauge their credibility. Be mindful of slight alterations in the developer's name intended to mimic legitimate entities, a common trick used by counterfeit apps.
Likewise, assessing the quality and accessibility of their website and social media presence can be really helpful. For example, if a publisher hasn’t put much effort into maintaining their website, or if they lack a certain “personal touch” (e.g. team pages, about pages, etc), you should generally avoid their apps.
With the Explorer, you have easy access to publisher insights, including Publisher ID and Website URL:
Download Counts and Monthly Active Users (MAUs)
Performance metrics like downloads and MAUs are also a fairly good proxy for determining app legitimacy. Apps that have been around for quite some time, but have low uptake and usage, may be engaging in fraudulent behavior. Likewise, apps with a disproportionately high number of reviews compared to downloads and MAUs deserve a closer look.
The Explorer provides filters for both downloads and MAUs, which enable you to filter out apps that fall below certain thresholds:
Likewise, you can do a deep dive on particular apps with the downloads and MAU dashboards in each app profile:
Release Date and Developer Updates
Consider the release date of the app. A recent launch date coupled with an unusually high download count could indicate a fraudulent app, as genuine, widely downloaded apps typically have a longer presence in the market.
You can use the Explorer to analyze release date, last update, and current version:
Along the same lines, infrequent updates may be a signal that an app has been abandoned or that developers don’t care about improving the product. Both are red flags and indicate that there may be underlying security issues within an app.
With the 42matters Explorer, you can review developer updates and changelogs in depth:
Carefully review the app's requested permissions. Permissions serve as a method for managing and restricting access to certain device functions, and malicious apps may surreptitiously request access to sensitive information, such as location data, contact details, SMS messages, etc.
With the Explorer, you can spot all apps that use undesirable permissions. This can be done a couple ways. First, via the PERMISSIONS filter:
This filter makes spot riskier permissions especially easy, since it tags them with the orange ‘Sensitive permission’ label:
Once you apply the filter, you’ll see all apps that use the permissions you selected. In this case, these are all published Android apps that use any location permissions marked as sensitive:
The second way to identify apps with risky permissions is by analyzing specific apps. To do this, use the Explorer to find the app you suspect is fake, open its app profile, and navigate to the PERMISSIONS section. Here’s what this looks like for the Android version of WhatsApp:
It should be noted that apps that use sensitive permissions are not necessarily malicious, nor are they necessarily fake. In fact, the vast majority of apps require sensitive permissions to function properly. That said, in environments where mobile app security is of the utmost importance — such as enterprise organizations or government agencies — it’s better to be safe than sorry.
Last, but certainly not least, audit app tech stacks. Certain types of SDKs are known for tracking user data or for delivering ads. If you notice any apps have SDKs for these purposes, you can investigate them further.
In addition, you can audit SDKs in the following ways:
- Validate SDKs using their SDK IDs: Catch apps that integrate copycat SDKs.
- SDK Developer Website: As with app publisher websites, you can assess the trustworthiness of an SDK by visiting their website.
- Installation and Removal Trends: Patterns in how often an SDK is installed on apps and removed from apps can indicate dissatisfaction or discovery of unwanted behaviors.
To get started with SDK validation and SDK analysis, check out the 42matters SDK Explorer!
More App Intelligence Use Cases for Cybersecurity
If you’d like to learn a little more about 42matters’ app intelligence solutions and how they can be deployed for cybersecurity purposes, we recommend checking out these articles, customer stories, and datasheets:
- Privacy Matters: How One Firm Leveraged 42matters to Launch a Unique Data Privacy Service
- Improve Your Mobile App Security Posture with App Metadata
- Detect Potentially Unwanted Applications (PUA) with App Data
- DATASHEET: Improve Your Mobile Security Posture
And, if you have any further questions, feel free to reach out to our team directly!