Dangerous Apps: How they work and how to protect yourself

Here at PhoneArena, we try to keep it positive. We love mobile technologies, so we're mostly optimistic about the industry and we try to pass that positivism to our readers. However, just like with anything else in this world, this coin has two sides.In the current piece, I will focus on the dark side of mobile apps.

And, if you'd allow me to rephrase the famous Rule 34, if it exists, hackers are already onto it. Mobile apps are no exception. Plenty of users had their devices infected with malware, their credit cards stolen or whatnot, just by installing a dodgy app from Google Play or the Apple App Store.For future convenience, I'll just call them “junk apps”, “fraud apps” or “insert-bad-word-here apps”.

What classifies as a junk app?

Now, before I talk about protecting yourself from such apps, let's get our terminology straight. What exactly do I mean when I say “junk apps”?

There are plenty of games and applications out there that are plain bad. Badly designed, badly optimized, plain stupid as an idea and so on. And while these apps are, without any doubt, annoying and useless, I'm going to leave them alone. They are not the result of malicious intent, but of lack of skill.

The apps I will talk about are the ones that have the sole purpose of tricking the user for the monetary benefit of the developer. Technically, there are two types of such apps that I know of.

The first type is the ad fraud one. Such apps are usually broken, buggy and useless. Their developers created them only so they can be installed on a user's device and forgotten afterwards. How do they work? The moment you open up the app, it starts loading ads in the background, one after another. You never see the ads, but they do load, refreshing at extremely high rates.

Forensiq, one the leading companies in ad fraud protection, conducted a study about a year ago and found out that such apps were installed on approximately 12 million devices worldwide. Affected users had both their batteries and data plans drained by the huge number of ads, reaching up to 700 different ads per hour, served in the background.

But ad fraud apps also hurt advertisers, who pay for their ads to be displayed. Instead, they are served where no one would see them and the money goes to the app developer, despite the fact that users don't actually see an ad. What happens can be explained in the following way – imagine you pay the rent of a billboard in the city center. The billboard owner takes the money, then takes the printed ad you gave them and throws it in a dumpster. Then they do the same to a hundred more advertisers, offering them the same empty billboard. Basically, they've scammed you out of your money. It's the same with background in-app ads.

The other type of junk apps is the data-stealing one. These apps are less common than the ad fraud ones, because they're harder to make and riskier if you get caught, but they do exist. The way they steal users' data varies.

Sometimes, it's through social engineering – fooling you into thinking it's a legit app or game, and asking for usernames, passwords, credit card info and so on. Such fraudulent app clones have been made for nearly all popular applications – Netflix, Pokemon Go, Overstock and many, many others.

Other times, they infect your device with malware, which automatically mines your user information from your device and sends it to its “mothership”. Or it allows third-party access to your device, which is then used by someone on the other side of the globe to break into your phone and take whatever info they want.

There is the ransomware type, too. It locks your phone and demands money, usually threatening with legal actions, if you don't pay up. There was one app, which scanned your Android device for illegal software (pirated music, for example), then got access to your social media profiles and locked your phone, demanding $100 dollars in 14 days, or it would post the illegal content through your social media profiles for the world to see and alert the authorities. The app specifically told you how much jail time you'd be facing for the content it “found” on your device.

And the last type of data-stealing apps is quite peculiar. Those are actually legit applications. They do work and, oftentimes, they work well. But they also gather data on the background. Such is the case with UC Browser (or was, since the latest updates made it a horrible browser too). A legit app, that people like and use, which leaks user identifiable information to third-party servers without even encrypting it first.

There are other scams on the mobile market, for sure, and even more will make their way to the Wild West of the web soon enough. Every time authorities catch one type of scam, a new one emerges, so I'm sure that hackers and scammers will find new clever ways to trick users. But for the time being, the ones described above are the most common ones you should look out for.

How to protect yourself from junk apps?

There is no easy way to be 100% sure that an app you're downloading is legit. But there are some things you can look out for prior to clicking the Install button. Not all apps exhibiting the listed traits are junk, but if a lot of the signs below are present, you should proceed with caution. If you apply some common sense too, you should be relatively safe.

The first thing to consider would be the legitimacy of the claims. Always ask yourself if it would be possible for the app to do what it claims it will do. A good example would be the numerous “color flashlights” on the Google Play store. Most smartphone flashes can't change color. They're made of a single white LED, instead of the special sets of three that are required for a multi-color LEDs. Also, there is no software support for such features in Android (as of yet). So, every app that claims it can change the color of your flash to a custom one, is quite clearly fake and suspicious. If you open up the comments of such apps, you'd see that they're also data and battery hogs. So, if you've read carefully until now, you should know that they're probably ad fraud apps.