Over 2,000 fake Android apps discovered

University of Sydney researchers analysed over one million Google Play apps and found over 2,000 counterfeit apps. Popular games such as Temple Run, Free Flow, and Hill Climb Racing were the most common targets for app impersonation.

Dr Seneviratne says smartphone users should never install apps from non-official app stores or by searching online.

The apps you regularly use to log your steps, edit your photos and monitor your finances may be hiding malicious software that could be tracking and even stealing your personal information.

As part of a two-year cyber security project, researchers from the Faculty of Engineering’s School of Computer Science and Data61-CSIRO investigated over one million Google Play apps and discovered 2,040 potential counterfeit apps.

Many of the fake apps impersonated highly popular apps and contained malware, with popular games such as Temple Run, Free Flow and Hill Climb Racing being the most commonly counterfeited. The study also found that several counterfeit apps request dangerous data access permissions despite not containing any known malware.

Counterfeit or ‘fake’ apps are often used by hackers to steal user data or infect a device with malware. Installing counterfeit apps can lead to a hacker accessing personal data and can have serious consequences such as financial losses or identity theft.

“Many fake apps appear innocent and legitimate – smartphone users can easily fall victim to app impersonations and even a tech-savvy user may struggle to detect them before installation,” explained School of Computer Science academic and cybersecurity expert Dr. Suranga Seneviratne.

“In an open app ecosystem like Google Play the barrier to entry is low so it’s relatively easy for fake apps to infiltrate the market, leaving users at risk of being hacked,” he said.

The Google Play Store is the largest of its kind, hosting over 2.6 million applications, many of which have been developed by third parties.

“While Google Play’s success is marked on its flexibility and customisable features that allow almost anyone to build an app, there have been a number of problematic apps that have slipped through the cracks and have bypassed automated vetting processes,” he explained.

“Our society is increasingly reliant on smartphone technology so it’s important that we build solutions to quickly detect and contain malicious apps before affecting a wider population of smartphone users,” he said.

Director of the NSW Cyber Security Network, Todd Williams, believes the research has the potential to place New South Wales on the map as a leader in cyber security.

“The NSW Cyber Security Network is very pleased to be able to support the world-leading research of the University of Sydney. This research further strengthens NSW as a leader in cybersecurity,” he said.

Hackers may use counterfeit apps to steal data and personal information

Tips to avoid being hacked by counterfeit apps

Do your homework – If you want to try out a new app, find out which platforms and countries it has officially been released in. Counterfeiters may target countries or platforms where some popular apps are yet to be released.

Be mindful of cross app market counterfeits – One common trap that you might fall into is downloading an app on Google Play that has only been released on the Apple Store. Always check to see if an app has been released on both platforms before downloading.

Read the app description and check metadata – Read the app description carefully and check the available metadata, such as the developer information, number of downloads, release date, and user reviews before any installation. For example, a Facebook app with only 100,000 downloads would be an immediate red flag as the authentic Facebook app would instead have billions of downloads.

Stick to official app stores – Do not install apps from non-official app stores or just by searching online.

Carefully check the permissions requested by the app – One possible way to understand an app’s behaviour is by understanding the permissions requested by apps. See whether the permission requests make sense by asking questions like, “does this app really need to access my SMS”?

Regularly update your operating system and remove any apps you no longer use – It’s crucial that you keep your operating system up-to-date so that even if you do accidentally install a malicious app, it will not be able to bypass your smartphone’s security system.

/University Release. View in full here.