How to spot scam apps for your phone

YOU’VE just downloaded a new mobile game, cryptocurrency wallet, or fitness app, but something isn’t right.

Your phone’s screen is swamped by annoying ads, the app is not doing what you would expect it do, and, God forbid, you found an unauthorised transaction on your bank account. Chances are the app you downloaded has been after your money or sensitive information.

Given the wealth of data we access via our smartphones, it’s little wonder cybercriminals have their sights on these devices, with threats looming large especially in third-party app stores.

The number of Android threats soared by 57% in the last few months of 2022, driven by a whopping 163% increase in adware and growth of 83% in HiddenApps detections.

7 ways to recognise a fake app

Check the numbers: Say you’re looking for what you would reasonably expect to be an app with hundreds of millions of users but only come across an app that, while sounding like the real thing, hasn’t racked up anyhere near as many downloads. 

If that’s the case, chances are high you’re dealing with an imposter app.

Read the reviews: If an app is rated poorly, you should probably give it a pass. On the other hand, tons of glowing reviews that all sound almost the same should also raise eyebrows. This is especially the case with apps that have not been downloaded millions of times - many of those recommendations may be the work of fake reviewers or even bots.

Check the visuals: Something about the app’s colour or logo used doesn’t feel right... If you’re in doubt, compare the visuals to those on the website of the service provider. Malicious apps often their mimic legitimate counterparts and use similar, but not necessarily identical, logos. Keep your eyes peeled for details - a closer look, including at the URLs, often reveals some giveaways.

Doublecheck the “official app” claims: In one case documented by ESET last year, cybercriminals distributed apps for online stores and banks that often didn’t even have an app available on Google Play. When downloading a mobile app that should be associated with a popular online service, ensure the service actually offers such an app. If that’s the case, its official website will contains links to the apps in Google Play Store and/or Apple App Store.

Check the app’s name and description: Legitimate app developers typically go to great pains to avoid coming across as unprofessional. This also applies to things as mundane as app descriptions - read through them to see if you can spot poor grammar or inconsistent and incomplete details. 

These often provide a clue that an app isn’t what it’s claimed to be.

Check the developer’s pedigree: Tread carefully when dealing with an app from an unknown developer with no track record in app development. Don’t be fooled by a name that rings a bell, either - shady app makers may be misusing the name of a legitimate and well-known entity. Double-check if the developer has other apps to their name and that the apps are reputable; if in doubt, search for the developer’s name in Google.

Look out for excessive app permissions: Stay away from apps that require excessive user permissions - that is, the kinds of privileges they don’t really need to do their job. 

A flashlight app hardly needs admin rights and access to core device functionality.

7 signs you downloaded a risky app

The app isn’t doing its job: As an example, in 2018 ESET researchers analysed a set of apps that posed as security solutions, but all they did was display unwanted ads and offer pseudo-security. They only mimicked basic security functions with very primitive security checkers that relied on a few trivial hardcoded rules. As a result, they often detected legitimate apps as malicious and created a false sense of security in the victims. If your new ‘game’ turns out to be a gambling platform, something isn’t right. Check again what it is that you’ve actually downloaded.

It behaves strangely: Does the app exhibit weird behaviour, such as starting up, closing, or failing altogether for no apparent reason? This is one of the most obvious signs that you may have downloaded a dodgy app.

You incurred unexpected charges: If you’ve spotted unwanted charges on your credit card or phone bill, it could be due to an app you downloaded recently. Watch out for scams that involve downloading a peer-to-peer (P2P) payment service and offer fictitious products and services at fire sale prices. Because payments are often instant and cannot be canceled, you may lose money by paying for something you will never receive.

Strange messages and calls: Another sign of trouble involves malware spamming out messages from your phone to your contacts (like FluBot does). In other cases, your call or text message history may contain unknown entries as malware attempts to make unauthorised calls or send messages to premium-rate numbers.

Battery drain: Does your device battery get drained far faster than usual? It may be due to background activity that consumes the device’s resources and could ultimately indicate your device has been compromised.

Spikes in data usage: If you experience a major and sudden surge in your internet data usage without any change in your browsing or phone usage habits, it could also be because of an app’s activity in the background.

Random ad pop-ups and unknown apps: A malicious app may go on to install additional apps in the background without your authorisation. Same goes for pesky adware displaying unwanted ads on your device. If you spot any of this, chances are high you need to act fast.

7 tips for staying safe

• Stick to Google Play and Apple App Store.
• Don’t mindlessly click on links sent via social media messages or emails.
• Use two-factor authentication (2FA) on all your online accounts that offer it.
• Keep your phone’s operating system and apps up-to-date.
• Stick to apps whose developers continue to improve their products and fix security vulnerabilities and performance bugs.
• Secure your device’s screen with a passcode of sufficient length and complexity or a solid biometric feature such as a fingerprint - or, ideally, a combination of both!
• Use mobile security software.