Story image

Why the growing threat of scam apps demands attention

31 Jan 2019

Many app developers bombard users with unwanted popups and steal email addresses for targeted advertising. However, the effects of unethical online advertising and app management can be felt much deeper. Users need to fully verify any apps they install or download to avoid the ramifications of shoddy apps and advertising scams, according to ESET. 

ESET senior research fellow Nick FitzGerald says, "At the end of last year, fake fitness-tracking apps scammed multiple users into losing money via a payment mechanism which linked to users’ credit and debit cards connected to Apple accounts. 

“This should signal to consumers that installing and downloading apps and features online should only be done with the utmost precaution.”

"Downloading a fake app can open users’ devices and, consequently, networks, up to a range of dangerous implications, including data breaches and bank account depletion." 

ESET recommends five ways users can verify the validity of online apps, and improve the app ecosystem: 

1. Be aware that reviews can be misleading. Many conscientious iOS and Android users refer to reviews in the Apple App Store or Google Play before downloading apps. While the reviews section can often indicate the quality of an app, some reviews can be too old to rely on, or even deliberately posted by scam app developers themselves to fool potential customers. 

When reading reviews, consumers should look to see that comments are recent and steer clear of apps with reviews using vague or nonsensical language, or multiple comments with repeated content. Look out for comments belonging to profiles with similar usernames, or profiles that appear phoney and unrealistic. It’s a good idea to reorder the ranking options to gain a more balanced picture and look to the reviews deemed ‘most critical’ first. 

2. Be patient. It’s wise to avoid rushing into purchasing or downloading an app as soon as it’s released. Users should take a few days to wait for reviews to develop, and research what other users are saying. When it comes to safety, patience is key. 

3. Be aware of valid functionality. Users should learn the extent to which their devices operate, to better spot scams which require certain identification methods. For example, fitness tracking apps will never be able to use a user’s fingerprint scan to access a user’s calorie data or nutrition information, so an app requiring fingerprint scans for this purpose is likely bogus. 

Likewise, if an app requests information or permissions upon download that it simply doesn’t need to do its job, ESET advises users to steer clear. A flashlight app doesn’t require users’ email addresses or phone numbers to do its job, nor do most downloadable games. 

4. Dig deeper. There is a range of ways users can find evidence that an app might not be trustworthy. ESET recommends users search app developers’ names and research any past apps they’ve uploaded to find historical reviews or articles which might reveal critical information. 

Users can also Google the app developer’s name alongside the word ‘scam’ to turn up more specific results. 

5. Make a difference. If users are unfortunate enough to have downloaded an untrustworthy app, they should act immediately. Users can contact the App Store or their financial institutions and request a refund. 

Users can also report fraudulent apps to the App Store or Google Play, and leave critical reviews on the app developer’s content. This can help other users avoid making the same mistakes, and hopefully work to keep dodgy apps at bay.

Veeam releases v3 of its MS Office backup solution
One of Veeam’s most popular solutions, Backup for Office 365, has been upgraded again with greater speed, security and analytics.
Too many 'critical' vulnerabilities to patch? Tenable opts for a different approach
Tenable is hedging all of its security bets on the power of predictive, as the company announced general available of its Predictive Prioritisation solution within Tenable.io.
Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.