SINGAPORE — While applications or apps are essential to the function of mobile devices — and to a certain degree, the daily lives of their users — the authorities have recently warned about the dangers associated with downloading apps.
On Tuesday (May 16), the police warned of a phishing scam that involves the download of a fake app that passes off as the ScamShield app
The genuine ScamShield app checks incoming calls against a list maintained by the police to see if the number has been used for illegal purposes and blocks it.
Last month, the police and the Cyber Security Agency of Singapore issued a joint advisory against downloading apps from third-party or dubious sites.
Doing so may lead to the installation of malware in the device, which in turn may result in confidential and sensitive data, such as banking credentials, being stolen.
In the advisory, the authorities also warned members of the public to be wary of suspicious updates that claim to be Google or Android-related, as well as fake apps that pass off as the genuine ones.
TODAY spoke to cybersecurity experts on how people can fall for such app-related scams, the dangers of such bad apps and how to protect oneself against them.
HOW PEOPLE END UP DOWNLOADING BAD APPS
There are many ways in which a person can get tricked into downloading a fake or malicious app.
Mr Lim Yihao, a threat intelligence adviser, said that in many cases, scammers leverage social engineering methods.“(They do this by) masquerading as bank officers or law enforcement units to persuade victims to download applications from third-party sites, which are also masquerading as legitimate sites from which to download these applications,” Mr Lim said. He is with Mandiant Intelligence, part of Google Cloud's business, advising the Japan and Asia-Pacific region.
Mr Ali Fazeli, a senior consultant at cybersecurity company Infinity Forensics, said that such apps can also be propagated through online advertisements offering services or deals for products.
When users click on such ads, the supposed seller of the services will ask them to download an app through a link to access the supposed services.
These app would then cause harm to the user in various ways.
Mr Kenny Yeo, head of the Asia-Pacific cybersecurity practice with consultancy firm Frost & Sullivan, said that besides offering services or goods, such download links can be in many guises that pique the curiosity of the user.
“During the Covid-19 pandemic, (the banner or ad) could be for information about Covid-19 and its medical effects. Later, it could be around the Ukraine conflict and ‘donating’ to people suffering in the war,” he added.
Some fake apps pretend to be an Android update or a security update, Mr Lim from Google Cloud cautioned, and victims downloading these files get a malware-infected file on their mobile phones instead.
ARE ALL APPS IN OFFICIAL STORES SAFE?
Mr Lim said that Google does not permit apps that are “deceptive, malicious, or intended to abuse or misuse any network, device, or personal data” on Google Play Store.
“We have built-in malware protection, Google Play Protect, which uses machine learning models to automatically scan over 100 billion apps on Android devices every day for fraud and malware,” he added.
The other cybersecurity experts said that every official app store generally has safeguards against malicious apps. However, occasionally, some malicious apps do get through the checks.
Mr Ali said that some apps may not have any malicious code inside, but can behave maliciously.
For example, upon downloading, certain apps may request access to certain functions or resources in the phone — such as the contact list, camera and many others — for various reasons.
“So anyone can misuse those authorisations or those resources that are sitting on your phone,” he said.
Users need to be all the more vigilant when it comes to downloading apps from outside the official stores such as Apple's App Store where there is even less control over the types of apps offered, the experts said.
WHAT HAPPENS AFTER A BAD APP IS DOWNLOADED
There are many ways in which the app can cause harm to the device and its user:
Some apps can install malware into the device, which can steal private information or act as a key logger to record passwords and other details for exploitation
Malware may take control of the device’s microphone and video camera or do screen recording to potentially record compromising or private activities
Pop-ups may also appear. They may range from annoying advertisements, to tabs in the phone browser leading to phishing sites
The stolen information and data would in turn lead to different types of harm.
“For example, a stolen contact list can allow the threat actor to impersonate the victim and reach out to his family and friends to ask for monetary aid or favours,” Mr Lim said.
Stolen credit card or banking details can be exploited to make fraudulent purchases or transactions, leading to monetary losses.
HOW TO MINIMISE RISK OF DOWNLOADING FAKE OR BAD APPS
Protecting oneself from potentially harmful app starts from “taking stock” of what app one truly needs, Mr Yeo from Frost & Sullivan said.
“Do you really require five weather apps, three clocks apps, and seven QR code scanners? Which are the ones that have the best app score and reputation in the app store? Start to reduce the apps on your mobile device,” he advised.
Before downloading any app from the store, Mr Lim from Google Cloud suggested taking note of the following:
1. COMMENTS ABOUT THE APP: If an app is a popular one, it should not have a low rating or numerous user complaints. However, it is easy to generate fake positive reviews, so overwhelmingly positive reviews could potentially be a red flag, too.
2. NUMBER OF DOWNLOADS: Legitimate apps commonly have up to millions or billions of downloads. If a popular app has only several hundred or thousand downloads, it is very suspicious and consumers should conduct a detailed check to ensure the legitimacy of the app.
3. APP DEVELOPER: Do some background research into the developer to find out information about it. This might show whether the developer is reputable or not.
4. APP RELEASE DATE: If an app was released very recently but has an abnormally high number of downloads, it is likely not a real version of the app because legitimate apps with high downloads often take a period of time to generate market traction.
5. APP PERMISSIONS: Fake apps often ask for more authorisations that are not strictly necessary. For example, a navigation app should not ask for access to your contact list or photos.
6. APP ICON: Fake apps commonly use the same icon as a real app. However, at times, the icon image might not be of high quality and if it is abnormally pixelated, it is also a warning.
Additionally, the experts said that downloading security softwares such as antivirus ones can also offer some form of protection, because they can scan for some potential threats.
Dr Jiow Hee Jhee from the Singapore Institute of Technology has this reminder to offer: “Having antivirus software does help, but still, users should be wary of apps they download, and not put full reliance on antivirus softwares.”
Mr Ali also advised users to frequently update their phone operating systems and their apps, because the updates typically contain patches to protect against vulnerabilities.
Beyond software protection, Mr Ali also said that it is important for users to exercise “common sense” and to constantly be vigilant, especially against any app that offers deals or offers that are too good to be true.
Mr Lim said: "There is no silver bullet to solve this issue. There has to be a combination of technology measures and user awareness to eradicate this issue."
WHAT TO DO IF YOU DOWNLOADED A MALICIOUS APP
In the event that a person has downloaded an app suspected to be malicious, Mr Ali suggested the following steps:
Put the device into "airplane mode" to disable the radios and transmitters on the device. This will ensure no data can be transmitted into or out of the device
Retrace your steps to your best ability and take corrective actions. For example, if you had put in your card and banking details into the bad app, cancel the card and inform the bank. If you have put in your email account details, change the password of your email account immediately
Remove the suspicious app and scan the device with an antivirus or security software
If the device still behaves strangely after all the steps are taken, give your device a factory reset