Advertisement
Canada markets closed
  • S&P/TSX

    21,837.18
    -11.97 (-0.05%)
     
  • S&P 500

    5,149.42
    +32.33 (+0.63%)
     
  • DOW

    38,790.43
    +75.66 (+0.20%)
     
  • CAD/USD

    0.7388
    -0.0001 (-0.01%)
     
  • CRUDE OIL

    82.59
    -0.13 (-0.16%)
     
  • Bitcoin CAD

    89,077.89
    -2,919.74 (-3.17%)
     
  • CMC Crypto 200

    885.54
    0.00 (0.00%)
     
  • GOLD FUTURES

    2,164.20
    -0.10 (-0.00%)
     
  • RUSSELL 2000

    2,024.74
    -14.59 (-0.72%)
     
  • 10-Yr Bond

    4.3400
    +0.0360 (+0.84%)
     
  • NASDAQ futures

    18,193.00
    -38.50 (-0.21%)
     
  • VOLATILITY

    14.33
    -0.08 (-0.56%)
     
  • FTSE

    7,722.55
    -4.87 (-0.06%)
     
  • NIKKEI 225

    39,596.29
    -144.15 (-0.36%)
     
  • CAD/EUR

    0.6790
    -0.0002 (-0.03%)
     

How to avoid fake apps and thwart identity thieves

Avoiding fake apps
[Yup, we know the feeling/Getty Images]

With the holiday shopping season in full swing, identity thieves are taking full advantage of the popularity of retail apps by planting fake mobile apps in the Apple and Google Play stores with the intention of stealing your credit card and personal information.

Let’s say you go to the Apple App Store looking for Starbucks’ popular mobile app, which allows you to load Starbucks gift card and credit card information into a mobile wallet interface, so you can pay with your coffee by scanning your phone. But instead of downloading the right app, you download one that looks virtually indistinguishable from the real thing.

“On iOS, your credit card information can’t be stolen because Apple uses sophisticated hardware to store that information away from your phone using a cryptographic algorithm. But, any of your login details can be stolen, including your name, your date of birth or your address. Plus, if you login with your Facebook or Google account, they now have access to your profiles and your e-mail if you use Gmail. With that information, they could literally get in anywhere,” says Abdallah Haji, senior technical project manager at the app developer Devfusion in Toronto.

ADVERTISEMENT

So how can you protect yourself from falling victim to fraudulent retail apps, or any fake mobile app for that matter, and how are these imposter apps getting by Apple’s stringent app store approval process?

Bait and Switch

Normally, it’s incredibly difficult to get your app into the Apple App Store. Infractions range from improper use of icons or buttons and mentioning rival supported platforms in your app description to the more serious, substandard user interface, broken links and frequent crashes. Even Haji says his team at Devfusion has had their apps rejected at various stages sometimes before finally making it through to the store.

One of the things that’s never getting through Apple’s inspections is malware, but that’s the thing – these fake apps aren’t malware. They are legitimate apps with legitimate code and legitimate links, at least, at first.

“Apple usually does check, but what you can do is after Apple accepts you, you can change the Application Programming Interface [API] which means you can go in and change the content of the app without altering it’s overall structure, so an app that was legitimate when Apple approved it can suddenly turn illegitimate after it passes the most stringent stage of approval,” says Haji.

Apple is aware of this problem and trying to purge its store of these imposter apps as fast as humanly possible. The only comments they have made about the issue so far is in the following statement:

“We strive to offer customers the best experience possible and we take their security very seriously. We’ve set up ways for customers and developers to flag fraudulent or suspicious apps, which we promptly investigate to ensure the App Store is safe and secure. We’ve removed these offending apps and will continue to be vigilant about looking for apps that might put our users at risk.”

Android’s Google Play Store is an even worse offender when it comes to letting in suspicious apps. They have nowhere near as stringent an approval process as Apple does and they allow app developers to have access to the root of someone’s phone, which means great things creatively if it’s a legitimate app, but is downright scary if it’s an app with malicious intentions.

When you give so much control on the root level, you can actually do some amazing things. For example, there are some apps on Android that can make a phone call on your behalf, but Apple would never allow that. So bogus applications can do a lot more and create all sorts of random things,” says Haji.

What Can You Do to Protect Yourself?

It’s getting harder and harder to discern the real apps from the fake ones as identity thieves get more and more sophisticated, but there are still things you can do to avoid being caught in the crossfire or limit the damage if you unwittingly download a fake.

“It’s really, really tricky to identify a fake app from a real app,” says Bob Sullivan, an award-winning cybercrime and fraud journalist who regularly appears on NBC News and its affiliates. “You can look at the number of reviews and obviously if supposedly well-known apps have few reviews that’s a red flag. There’s the other usual things like misspellings in the description, but these bad guys are kind of beyond that.”

It’s possible to buy fake reviews in the hundreds to make your app look just as legitimate and popular as the real thing and identity thieves know now the misspellings are a red flag, so they don’t make them with the frequency they used to.

“Really the surest way to do this is to go to the actual website of the store with the app and follow the download instructions there. The link you click on the official website will take you to the proper app in the Apple Store or on Android,” continues Sullivan.

Of course, if you’re on the wrong website, you may end up with the wrong app, so look at those address bars closely before downloading anything.

“A big reason why this is working is that Apple’s reputation means that people are more trusting and so far that trust has been well-placed, but now it’s just as easy to do this in The App Store as it has always been in the Play Store.” says Sullivan.