Seven scamware apps found in Google Play and Apple’s App Store corralled more than half a million dollars for their developers, a digital security company reported Tuesday.
Avast discovered the malicious apps after a 12-year-old girl flagged a suspicious app promoted on a TikTok profile through its “Be Safe Online” project in the Czech Republic, where the business is based.
The adware apps have been downloaded more than 2.4 million times and have earned their developers more than US$500,000, Avast revealed in a company blog.
Many of the apps are being promoted on TikTok on at least three profiles, one of which has more than 300,000 followers, Avast noted. An Instagram profile with more than 5,000 followers was also found promoting one of the apps.
Avast explained that the programs pose as entertainment apps, which either aggressively display ads or charge from $2 to $10 to purchase the software.
Some of the programs, it added, are HiddenAds trojans, which disguise themselves as safe apps but serve ads outside the app.
“The apps we discovered are scams and violate both Google’s and Apple’s app policies by either making misleading claims around app functionalities or serving ads outside of the app and hiding the original app icon soon after the app is installed,” stated Jakub Vvra, a threat analyst at Avast.
“It is particularly concerning that the apps are being promoted on social media platforms popular among younger kids, who may not recognize some of the red flags surrounding the apps and therefore may fall for them,” he added.
Difficult to Detect
HiddenAds trojans can be particularly pernicious because they will continue to serve ads even after the app that installed them is removed.
“The behavior of installing the adware separately through the original application is why it’s classified as a Trojan rather than simply adware,” explained Jonathan Tanner, a senior security researcher with Barracuda Networks.
“The original app tricks the user into infecting their device with the actual adware rather than simply acting as the adware,” he told TechNewsWorld.
Since the app is side-loading its adware and not serving the ads itself, the bad app should be easier to detect, but it does lower its profile by limiting itself to only functions used by legitimate programs and nothing more.
“This would normally be a good means of detecting malware,” Tanner said. “Malware often requires more control over the phone than available to developers, often requiring rooting the phone, which can be detected more easily.”
Adware, in general, can be difficult to detect because advertising is common within apps. “Adware takes these ads too far by either being too invasive to the point of draining computing resources and bandwidth or utilizing less reputable ad networks that may distribute malware,” Tanner explained.
“Detecting invasive ads versus a simple banner would require profiling the behavior of the app or reverse engineering its code, both of which can be difficult and time-consuming to do at scale,” he said.
“Detecting malicious ad networks requires tracking which ad networks are legitimate and which are not, which again is not a trivial task,” he continued. “As with the apps themselves, ad networks can suddenly shift from safe to malicious if the wrong advertiser signs up and has too much freedom as to what content is allowed.”
Cowed by Influencers
It can be difficult for an app store to flag programs that charge money but offer little or trivial functionality if they live up to their claims, no matter how paltry they may be.
“For example, the surge of flashlight apps during the early days of the App Store’s existence were largely legitimate, if questionable value for the money,” said Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company, in Scottsdale, Ariz.
“The Apple and Google stores have since attempted to crack down on apps that only perform trivial functions,” he told TechNewsWorld, “however, the definition of what constitutes a trivial function can be murky for reviewers to determine.”
Inexperienced users can also make the job of shady apps easier. “Mobile devices are a ‘black box’ for most users, and they have little visibility into what’s happening deeper in the device,” said Saryu Nayyar, CEO of Gurucul, a threat intelligence company, in El Segundo, Calif.
“There are a number of techniques mobile application developers can use to hide from a casual user,” she told TechNewsWorld.
Users on networks like TikTok can also be too easily cowed by social media personalities. “Many social media influencers will take money to promote products or apps without doing any research into their legitimacy,” Clements maintained.
“The influencer ecosystem is ultra-competitive, and promotions from even those with large audiences can be bought for next to nothing,” he added.
Leveraging Social Situations
Using TikTok profiles for promoting scam apps is only the latest vector of abusing popular channels to capture profit from unsuspecting supporters, noted Ben Pick, a senior application security consultant at nVisium, a Falls Church, Va.-based application security provider.
“The best method to not be susceptible is to verify the app being downloaded and not click a link directly from a user’s profile,” he told TechNewsWorld.
“Check for excessive permissions and numerous bad reviews to prevent downloading similar scams or outright malicious apps,” he added.
Another factor influencing the downloading of these malicious adware apps may have been the imminent ban of TikTok by the Trump administration, which fizzled when the social app was able to cut a deal with Oracle and Walmart that satisfied Washington.
“We frequently see threat actors leverage social situations to their advantage,” observed Hank Schless, a senior manager for security solutions at Lookout,a San Francisco-based provider of mobile phishing solutions.
“In this case,” he told TechNewsWorld, “they know people rushed to download TikTok ahead of the ban, and these new users look for influencers to follow when they sign up for the app.”
Pay Attention to Reviews
One of the simplest ways to avoid becoming a victim of adware scams is to read the reviews about an app. “When loading apps, it’s essential to read reviews and check the ratings,” James McQuiggan, a security awareness advocate at KnowBe4, told TechNewsWorld.
Pay particular attention to negative reviews, added Cerberus Sentinel’s Clements. “Scammers often use bots or pay for fake positive reviews,” he explained.
McQuiggan also advised that when there are prompts to install an app from an advertisement in a profile or on a website, it’s vital to do some due diligence about the app to make sure it’s not malicious.
Chlo Messdaghi, vice president of strategy at Point3 Security, a provider of training and analytic tools to the security industry in Baltimore, Md., agreed. She told TechNewsWorld, “It’s always better to do some research before allowing an app into the most personal digital space in your life — your phone.”