Bad actors are constantly looking for ways to target unsuspecting users with malware or other digital threats. To increase the likelihood of a successful infection, these nefarious individuals incorporate holidays, current events and significant dates into their attack campaigns. It's, therefore, no surprise that digital miscreants are capitalizing on the end of summer by pushing out malicious "back to school"-themed Android apps.
The "ABCs" of These Android-Based Contaminants
With schoolchildren busy packing their backpacks and "finishing" that long-neglected summer book report, security firm RiskIQ decided to search its digital threat management platform for the keywords "back to school." Its scan returned 9,343 active Android apps. To its surprise, more than a tenth of those (12.7 percent, or 1,182 apps) came back as blacklisted. Close to a third of the marked APKs even turned up on Google's Play Store.
Malicious “back to school” apps in the RiskIQ platform. (Source: RiskIQ) What's so suspicious about these blacklisted apps? RiskIQ’s Threat Research Team found that many of the apps used free email services such as Hotmail, Gmail and Yahoo as their developer contact email addresses. These email services aren't inherently suspicious. But as they are free, they require less intensive identity verification, meaning anyone – even a malicious actor – can set up an account. That's exactly what happened in the case of "Dress Up School Fashion," an app which is blacklisted by 10 different AV vendors for serving digital threats. The app developer's email address is [email protected].
“Dress Up School Fashion” has a sketchy contact email. (Source: RiskIQ) Other apps like "Salon: Back to School" require permissions that don't cohere to the APK's advertised functionality. A mobile game, for instance, shouldn't be capable of accessing a user's phone calls and SMS calls. But those rights could all be part of the app developer's malicious intentions. Mike Wyatt, threat researcher at RiskIQ, says he sees programs exploit users' willingness to overlook excessive permissions all the time:
"For threat actors, it's all about driving downloads of their apps. Apps that infect users' phones with adware can help hijack traffic to drive users to threat actors' websites—which may be dangerous—and Trojans and other malware can infect users' phones to spy on them or steal their data."
Still, other apps leverage rave reviews and high download numbers to gain a potential victim's trust. In many cases, the app developer simply forges the reviews, while the download numbers reveal they've been successful in fooling lots of users. Fortunately, malicious app developers can and do make mistakes. That's especially the case for their spelling and grammar. Just look at what the app developer of a malicious Android app wrote:
Despite rave reviews, something is amiss (and hard to read) with this app. (Source: RiskIQ)
"Back to school, surely everyone had ever cheated all right? My mean is that you peek someone's exam who more smarter than you. Because you do not prepared fully for exam so cheating is considered to be the only solution at that time if you do not want to get bad score. Basically, the cheating itself is not bad, it's just bad … when teachers detect only."
An app that promotes cheating in school with horrible grammar? How ironic! Together, these factors should convince a user to not proceed with installation.
Some Advice for Parents and Consumers
As the start of a new school year draws ever-closer, parents should talk to their kids about digital threats. They should also ensure their children don't download apps with excessive permissions and forged reviews from untrusted developers with free email addresses. Wyatt elaborates:
"It's important to monitor young children's activity closely in app stores. Not only are there plenty of pitfalls regarding downloading adware and trojans, but children also tend to have some freewheeling spending habits in these marketplaces that can result in a surprisingly high bill for their parents. Unfortunately, once a malicious app is downloaded, it's usually too late. If it's just adware, uninstalling the app would work, but if it's malware, wiping the phone to factory settings is a more appropriate action to remain safe. For this reason, prevention by learning to recognize malicious apps is the best defense."
For more back-to-school digital security tips, please click here.
