There comes a time in everyone’s lifewhen they consider, for better or for worse, downloading Pokmon Go. Now it seems scammers are ready for that impulsive moment to arrive, and they’re just waiting to redirect unsuspecting players to an app store where they may catch more than Pikachus.
New research from the security firm Trend Micro indicates that bogus third-party stores—a long-running problem for Android—have now been surprisingly successful in targeting iPhoneusers, tricking them into installing ad-laced impostor apps on their devices.TrendMicro highlights two third-party app services: Haima, which is based in China, and the Vietnam-based HiStore. Both have achieved millions of downloads of their counterfeitPokmon Go apps for iOS (an impressive and concerning 10 million in the case of HiStore)as well asother fake versions of popular apps like Facebook, Twitter, and Instagram. Haima’s fake Minecraft app, by Trend Micro’s count, has been downloaded more than 68 million times. The companies promote their phonyapps heavily on social media, luring peopleinto clicking on them instead of searching in Apple’s App Store. And it’s working.
In the new scheme, the adware distributorsset up their app stores through Apple’s Developer Enterprise Program. The service is meant for companies that want to build and distribute proprietary internal apps to their employees. When a company tricks someone into downloading a repackaged version of an app, the software contains adware that starts evaluating information about the victim’s device and mobile network to serve more targeted ads. Then, as the victim uses the app, ad firms deliver ads to the phone, paying fees to the scammers for the privilege.
Apple has always beenaggressive about policing its apps.The company just announced a massive cleanup of its App Store at the beginning of September. And the Developer Enterprise Program gets similar scrutiny. When an app is approved it receives a certificate that Apple can revoke at any time, rendering the app unusable wherever it has been downloaded. But makinga new Developer Enterprise account and getting a new certificate costs only $299.So when Apple pulls the plug on one certificate, scammers just start using a new one. While investigating Haima, Trend Micro found that the service used five different certificates over just 15 days. Apple didn’t respond to WIRED’s request for comment.
The scheme is relatively simple. But the scammers still put serious effort into ensuring that their apps actually work,so customerswillkeep using them for as long as the fraudulently obtained certificates remain valid. WhenPokmon Go was first released and limited to functioning in certain geographic areas, Trend Micro notes that Haima had a version of its fake app that spoofed location data to get around the legitimate app’s restrictions, allowing people who had unknowingly downloaded the scam version to continue using it from anywhere. AsPokmon Go eased these restrictions, Haima updated the app accordingly.
If you’re sure that you always download your apps from the Apple AppStore or Google Play Store your apps are secure. On the rare occasion that a malicious app actually gets approved and is available for download from these legitimate app stores, Apple and Google are generally swift about removing it, revoking its certificate and notifying customers. If you don’t pay attention to where you get your apps or you’re prone to clicking on random links without considering their origin you could be at increased risk. The best way to protect yourself against downloading fake apps loaded with adware is to navigate to authentic app stores and search for the app you want within them, instead of using an outside search engine or social media.
Fake apps canput your phone’s data and even its hardware like its GPS orits microphone in the hands of bad actors. Christopher Budd, a global threat communications manager at Trend Micro notes that the latest research focused on adware, but scam apps downloaded from unaffiliated app stores put users at risk of being exposed to all sorts of malware. “The biggest thing is the importance of going only to the official app stores,” Budd says. “The mobile malware problem that weve seen is almost exclusively a problem with third-party locations.”
How Serious is This?
While repackaged, scammy appsarean old problem, Trend Micro’s research is a reminder that theyremainpervasive, and reach Apple devices, too. “As far as iOS this is a fairly unusual and new thing,” Budd says, noting that the sheer numberof the downloads—reaching tens of millions—is unprecedentedfor fake iOS apps. “It’s all about scale,” he says. Theresearch didn’t reveal any evidence that scammers are using truly malicious malwarethat steals data or other cybercriminal behavior—at least for now. But Trend Micro notes thatdevelopers should still take stepsto make their apps more difficult to hijack, like obfuscating code so it’s harder for bad actors to access.
The crucial takeawayfor consumers, though, is simpler: Useofficial app stores exclusively for finding and downloading apps. When it comes to mysterious softwarefrom untrustedChinese purveyors, “gotta catch’ em all” is anill-advised strategy.