A serious new warning this week has been targeted at smartphone users who have been tricked into installing malicious apps on their devices. But unlike other recent warnings, these apps are much harder to find and delete on your phone.
This holiday season, we saw a spate of warnings about SpyLoan and Xamalicious malware-laced apps. In each case, security firms published helpful lists of usually trivial apps against which users could check their devices. Not this time.
The latest report exposes copycat downloads that trick users into believing they’re established apps and add-ons from major providers—“WhatsApp, Telegram and Signal clones and mods remain a popular vehicle for malware,” warns ESET.
It’s the popularity of such apps that make them so attractive to “threat actors keen to find a way to sneak malware onto your device. It could end up costing you and even your employer dear… Don’t get taken for a ride.”
With Apple’s App Store famously locked down, and Google’s more lapse store continuing to tighten its defenses, these bad actors resort to social engineering tricks to get to you, and you’re likely to see these very dangerous offerings hit your email or messaging apps as links. When they do, they’ll often appear to come from friends.
But these apps can also make their way onto legitimate app stores. Either way, whether we’re talking a dodgy Telegram client or a WhatsApp add-on, they all come with an extreme health warning. Messaging apps are central to our smartphones, and smartphones are central to our lives. This is rich hunting ground for attackers.
As ESET’s Jake Moore told me, “the hunt for the next secure, privacy focused, slick messaging app has the potential of coming with a sting in its tail. Copycat apps are simple to produce and some app stores unfortunately offer a raised platform for them to be advertised among the masses. Moreover, many people are also influenced by emails, messages and other platforms promising the ‘next best thing’.”
Given access to your WhatsApp and with the ability to farm your contact lists and messages, a bad actor will have a pretty good go at identity theft, or using your identity and messaging credentials to target your contacts with other malware.
End-to-end encrypted messaging has given us all a level of communication security that was unheard of before WhatsApp started to make this available to all of us, all of the time. But your device is the vulnerability, remember that. While intercepting encrypted communications is impossible in almost all circumstances, farming a compromised device for everything it contains is relative child’s play.
ESET warns that “if you download and install a malicious app on you phone, it could expose you or your employer to a range of threats,” and these include:
- Theft of personal data, banking and other financial information and identity information that can be sold on the dark web.
- Infecting your device with adware—software that continuously hits you with unwanted ads and can even click through on your behalf.
- Device takeovers and spyware than can steal messages, emails and other private information from your device.
- Ransomware that will lock your device.
- Dialers that secretly call premium-rate numbers.
- Your work credentials, giving access to your company’s systems.
As I’ve advised multiple times here, every app you let into your phone and into your life is a potential threat. Try to focus on the ones you need from the developers you recognize. Certainly avoid the temptation to fill your phone with trivial apps from seemingly small developers you’ve never heard of before.
Most such apps are designed and operated by enterprising malware operators, with straightforward financial motives. But we have seen much more sophisticated nation-state level attacks using such ploys to target specific groups of people, such as last year’s BadBazaar inspired fake messaging apps targeting Chinese ethnic minorities.
Of course, such tactics are not limited to messaging apps, with fake banking apps also a firm favorite. If you receive an email or text, presented as coming from your bank with a new or updated app and a link… do not install it. Check the app store instead. Unsurprisingly, the wild west of crypto apps is another target rich environment, as are the raft of AI/ChatGPT apps now doing the rounds with don’t miss out taglines.
Here are five other simple rules worth following:
- Stick to official app stores—don’t use third party stores and never change your device’s security settings to enable an app to load.
- Check the developer in the app’s description—is it someone you’d like inside your life? And check the reviews, do they look legitimate or farmed?
- Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
- Once a month, scan through your phone and delete a few of the apps you no longer need or haven’t used in a long time.
- Do not install apps that link to established apps like WhatsApp unless you know for a fact they’re legitimate—check reviews and online write-ups.
Beyond that, it’s sensible precautions at all times. Use biometric security for everything you can, but also remember to regularly change your phone’s PIN and never share it or use it publicly if you can avoid it. Keep your OS updated—use the auto feature in your settings. And don’t open attachments or click links you’re not expecting if you want to stay on the safe side.
“Downloading and installing a malicious app on your phone can lead to a number of disasters,” Moore warns, “including theft of personal data, compromise of banking information, poor device performance, intrusive adware and even spyware monitoring your conversations and messages.”
Most of the issues highlighted by these fake app reports relate to Android devices and third-party stores and side-loading. iOS is much more locked down. Which brings us to the pressure that’s now on Apple to open iOS up to third-party app stores. It could be that 2024 becomes the year of being careful what we wish for.