Cloned and spoofed mobile applications can damage a brand’s reputation and compromise user data. Fake mobile apps are widely available on both third-party and official app stores and rely heavily on brand impersonation to build trust and drive downloads. Many mobile users lack the security posture normally practiced on desktops, leaving devices vulnerable to compromise.
Fake Apps
Fake mobile apps are an identical copy or spoofed version of a legitimate application. They are most often purchased through third-party app stores and less expensive than in an official app store.
There are hundreds of ever-evolving third-party app stores. They typically operate with minimal restrictions, allowing threat actors to target users by imitating the appearance and functionality of legitimate apps. Brand offenses include abuse of trademark, copyright, or other forms of intellectual property.
Recognizing the imagery and/or content of a reputable brand, users are more likely to install a seemingly legitimate app without investigating whether it is real or up-to-date. Threat actors capitalize on the user’s trust to:
- Divert traffic
- Earn ad revenue, and/or
- Steal sensitive data
Detection
It is difficult for enterprises to effectively detect brand mentions and abuse. Third-party app stores are constantly being developed and unofficial apps are easily made available for download. Security teams should have mobile experts dedicated to the detection and curation of these types of threats.
Active monitoring of existing and newly created stores is necessary to detect mobile app fraud. Apps should be flagged as suspicious if they reference, impersonate, or replicate a brand’s content or images, including unauthorized use of:
- Logos
- Trademarks
- Content
- Functionality
- Appearance
Because of the high volume of brand mentions that may be flagged when monitoring third-party sites, security teams should conduct manual analysis to determine whether brand references qualify as abuse.
Mitigation
Once a mobile app has been evaluated and determined a valid risk to your brand or userbase, security teams should pursue mitigation with the third-party store. A best practice is to build relationships with these stores, so you may quickly communicate suspicious activity and have it removed.
Brand mentions, such as a name in the body of the content, are not necessarily considered infringement and may be challenging to remove. In order to effectively investigate whether or not these mentions qualify as cloned or malicious apps, security teams should report all suspicious activity to key contacts at the stores.
Mitigation may also require information on the hosting providers, registrar, registrant, and associated country. If key contacts at the third party store are unresponsive, escalating takedown requests to these other sources may prove helpful.
Successful mitigation does not ensure removal is permanent. Fake apps may re-appear with edits or adjustments to content or imagery, and may require additional action by security teams. Below is an example of a cloned application removed by PhishLabs, later reemerging in a different language.
Why Should This Matter to Security Teams?
An out-of-date or unauthorized version of an organization’s mobile app can have a number of consequences. Cloned applications may lack critical security updates and leave users highly vulnerable to compromise. Direct results include stolen data, fraud, or ransomware. Brand misrepresentation is equally as damaging, and can undermine your enterprise’s credibility and lead to extensive monetary loss. It is important that security teams find suspicious apps targeting their brand and, if determined to be a threat, have them removed.
