When boredom strikes, your phone’s app store can be a haven of cheap entertainment. Thousands of game, shopping, utility and selfie-editing apps are just a click away. But if you remember the FaceApp challenge from earlier this summer, we were all reminded that some of these seemingly harmless apps can present security dangers.
Of course, you might not be concerned about whether Russian developers have boundless access to your goofy selfies. Maybe you still download apps and grant permissions without much thought. If so, you should know that there’s a much more immediate and serious threat lurking: apps that can steal your banking information.
How mobile apps steal your financial data
Apps with hidden malware are becoming increasingly common, according to Jason Glassberg, an “ethical hacker” and co-founder of Casaba Security. These apps infect legitimate app stores, as well as con people into downloading them from third parties via smishing schemes.
Last year, for instance, the technology company ESET found 29 malicious apps in the Google Play store that were capable of intercepting texts, bypassing SMS two-factor authentication, installing additional malicious software onto devices and more. Google removed all these apps from the Play store once the company was notified, but more than 30,000 users had already downloaded them.
Although rare, Apple has also dealt with periodic malware outbreaks. In 2015, for example, the notorious “XcodeGhost” malware was found embedded in several otherwise legitimate apps.
Often, these fraudulent apps employ what are known as Trojans to steal your information. Just as the Trojan horse was used to sneak soldiers past the wall of Troy, “a Trojan is an application that is malicious in nature, but disguised as something benign,” said William Keppler, senior security specialist for cybersecurity company CyZen. “The malicious nature depends on the attacker’s goals.”
For example, a gaming app might have some sort of pay feature that allows players to buy additional game assets. When a user makes a purchase, the embedded Trojan can steal the banking information provided and then conduct unauthorized transactions, Keppler said.
“Trojans can do multiple things, but are often aimed at stealing your credentials from financial apps, such as banking, payment and cryptocurrency apps,” Glassberg said. Once installed, the Trojan lies dormant until you open a legitimate banking or payment app on your phone. This is when the Trojan performs an “overlay attack” to secretly steal your information, he explained.
Though there have been instances of fraudulent apps masquerading as legitimate financial institutions, most scammers that end up stealing your info do so by hiding malware in other seemingly innocuous apps such as games, calculators and photo editors. “It’s not the banking apps themselves, but these other silly, what you think are harmless, apps that you then run with outlandish permissions,” Glassberg said.
“There's absolutely no reason for a solitaire card game to want to access data connections or your photos.”
In fact, he said that one major red flag of a malicious app is asking for strange permissions, such as access to your photos, files and network. “A lot of times, people don’t think twice about just clicking OK. But with those certain sets of permissions ... they’re able to run in the background and wait for a banking website or app to be run, and that’s when they go into action,” Glassberg said. “There’s absolutely no reason for a solitaire card game to want to access data connections or your photos.”
Though Trojans can make their way into any app store, the Google Play store has been particularly vulnerable. The Android open-source community that fosters innovation also, unfortunately, makes it easier for scammers to hide their malware in apps.
Glassberg said over the last year, a number of well-known Trojans have made their way in. “Cerberus, Anubis and BianLian are three big ones that have successfully been introduced into the Play store and sit there, waiting for a very specific connection to a bank, and a very specific logon screen, to then go and start stealing information as it’s being entered,” he said. “It’s a very specific kind of attack that has been, unfortunately, fairly successful.” He noted that hackers are increasingly using droppers ― Trojans that download additional malware once the app is installed ― to bypass various app stores’ security.
Don’t get duped
With so many fake apps and malevolent Trojans lurking in app stores, how can you protect your phone and financial information?
“I get hired by these really big companies to do all sorts of very technical, specific, complicated kinds of testing, but I can share with you a secret: It’s always the human element that gives up the goods,” Glassberg said. People click on a link, or run software, or hand over credentials to a website and inadvertently download malicious software, which he said can often be avoided.
Avoid downloading apps from sketchy sources: Though plenty of Trojans have made their way into legitimate app stores, you open yourself up to a lot less risk by sticking with the Google Play store for Android and the Apple Store for Apple devices. “Apps from these sources are typically vetted for malware,” Keppler said. Avoid downloading anything from unknown third parties, which might not employ as strict security measures.
Keep a careful eye on permissions: When installing an app, make sure the permissions it asks you to grant make sense. “If a gaming app is asking for permission to access your contacts, microphone and photos, you should ask yourself why a game needs this type of access,” Keppler said. Chances are, it only does in order to run hidden, malicious software in the background.
Limit the number of apps you download: Scammers often cast a wide net in hopes of reaching as many unsuspecting users as possible. That means the more apps you download, the more vulnerable you become. “Not only will this eat up your drive’s space, but it increases the risk of downloading malware,” Keppler said. It’s a good idea to keep the number of apps you download to a minimum and stick with your tried and true favorites.
Never “jailbreak” your phone: Keppler said that when you “jailbreak” a phone, you bypass the restrictions put on the phone by the vendor to protect consumers. This gives you more privileges on the device than necessary. “This would allow any application that the consumer runs to have elevated privileges, which malware can exploit to perform unauthorized transactions or access sensitive information without the user’s knowledge or permission,” he said.
Trust but verify: Finally, Glassberg explained that many people need to break their habit of granting permissions or clicking links with abandon. For example, if you receive a message on social media from one of your friends with a strange link, call or text them and ask if they really sent it before clicking. If you get an email from the bank saying that your account needs attention and you must click a link to log in, just call the bank instead. “So many of these attacks are preventable with just a little common sense,” he said.
If it matters to you, it matters to us. Support HuffPost’s journalism here.