Ever since Apple introduced its App Store in 2008 and Android followed suit, apps have become an integral part of our lives. With millions of apps available on each official store, they quickly became the de-facto way of obtaining and installing new software on a smartphone. However, while the vast majority of apps that are added to stores are legitimate, some abuse the reputation and intellectual property of others in order to benefit themselves. Using the brands and services of established companies enables them to use others’ hard work to achieve popularity, which can be monetized in various ways. Known as “Rogue Apps”, they can be found targeting organizations large and small, posing real danger to the reputation of the companies they masquerade as.
While the term “Rogue Apps” often refers to cases where certain apps contain malware, the focus in this article is purely on the abuse of intellectual property (even when no malware is preset), as these are the lesser-known threats. In this context, there are two main types of incidents that we identify.
One threat is a full impersonation of a service which has no mobile app, masquerading as its “official” application. Take for example talent.io (https://www.talent.io), Europe’s fastest growing recruitment platform for tech profiles and the largest talent marketplace in the continent. Serving over 7,000 companies, including American Express, Tesco and Deliveroo, it enables finding and reaching out to permanent hires, as well as contractors. talent.io’s platform is exclusively web-based. The company does not operate any mobile apps, nor authorizes any third parties to do so on its behalf.
A threat actor has identified their lack of presence on mobile platforms and took advantage of it, creating a talent.io application claiming to be official. The goal was to use talent.io’s brand and reputation to encourage downloads. While the app was originally uploaded to Google Play, the threat actors shifted their tactics after the app was taken down for being fake, by uploading it to various app store “mirrors”, also known as APK repositories.
While in the west most users only use the official app store of each operating system, in other markets smaller app stores have also enjoyed popularity, specifically for the more permissive Android operating system. Multiple “APK repositories” are available, providing an alternative to the official stores. This is important in the context of Rogue Apps, as it means that while many of them would eventually be removed from the official stores, they could still be accessible in any one of dozens of available sites.
Another brand abuse threat in mobile is apps that offer benefits that supposedly compliment existing services. Specifically in the financial sector, there are quite a few apps that claim to enable their users to bank online on multiple financial institutions. For users that have accounts in multiple banks this does provide value – being able to perform all their banking activities in one place. However, these apps are not authorized in any way by the banks to have access to their online services, their security was not reviewed nor was the developers’ legitimacy has been verified. Unlike impersonation, these apps are more of a grey area, yet the goal is the same – to benefit off someone else’s work.
These types of apps are not only prevalent in the financial sector, but in online services as well. Many apps can be found for popular social media sites, online games and other services. Apps try to lure users to download them by offering tips and methods for gaining free likes, followers, in-gate currency, and more. While most offer legitimate guides, some offer tools or knowledge on how to abuse the systems and rules these services are built on for an unfair advantage. Each service defines its own “red lines” for what content is allowed and what isn’t. However while abusive content is usually being looked for in websites or forums, the mobile space which is often rife in this kind of content remains unmonitored.
The goal of a Rogue App’s developer is of course monetization. Many of these apps are monetized by having banner ads within them. The popularity of the brands that they masquerade or abuse translates to a larger number of downloads, which in turn translates to more money being earned. This scheme is somewhat similar to what is being observed in the music streaming space, where threat actors “hijack” an artist’s reputation and upload music tracks produced with minimal efforts, in order to receive ad revenue.
More malicious monetization methods do exist, such as data theft, in which a Rogue App is used as the mobile equivalent of a Phishing attack. As noted, some apps are injected with malware, though in many of these cases the developer deliberately avoids impersonating or associating themselves with known brands in order not to draw too much attention to their malicious intentions. Instead, they are usually available as free games. When malware-infested apps do masquerade as legitimate services, they are also a blatant abuse of intellectual property and will be picked by anyone who is monitoring for such activities.
The best way to mitigate the threat of Rogue Apps is by monitoring app stores in order to identify when they are uploaded, then using legal remedies such as DMCA takedown requests to remove them from where they are hosted. As the vast majority of the app stores, especially the official ones, collaborate with intellectual property owners, the main challenge is the Rogue Apps’ detection.