Cyber security researchers at the University of Sydney have discovered more than 2000 counterfeit apps impersonating popular games on the Google Play store as part of a two-year project with Data61.
The two institutions investigated over one million apps on the Android platform, identifying 2040 apps either containing malware and posing as popular games like Temple Run, or requesting “dangerous” data access permissions.
Other apps that were regularly spoofed include Free Flow, Hill Climb Racing, along with fitness trackers, photo editors and finance management tools.
Each of the apps named above has well over 100 million downloads (more than half a billion in Hill Climb Racing’s case), and at least a 4.5 star rating on Google Play. However, a host of other visually similar apps with similar titles and less than stellar reviews appears below each when searched for by name.
While many are doubtless benign knock-offs trying to make a quick buck off the brand recognition of the legitimately successful apps, others pose a risk to casual users.
While not all contained known malware, the data permissions requested by the fake apps found by the researchers posed a significant risk to users’ privacy, potentially giving the apps access to SMS records, cameras, microphones, and other sensitive data.
“Many fake apps appear innocent and legitimate — smartphone users can easily fall victim to app impersonations and even a tech-savvy user may struggle to detect them before installation,” warned Dr Suranga Seneviratne from USyd’s School of Computer Science.
“In an open app ecosystem like Google Play the barrier to entry is low so it’s relatively easy for fake apps to infiltrate the market, leaving users at risk of being hacked,”
Part of the challenge, Seneviratne said, was that Google Play is the largest app store at 2.6 million applications, with fewer restrictions than on rival platforms like Apple’s App Store.
“While Google Play’s success is marked on its flexibility and customisable features that allow almost anyone to build an app, there have been a number of problematic apps that have slipped through the cracks and have bypassed automated vetting processes.”
Given that so much of modern society runs on mobile interfaces, he said it’s important robust solutions are quickly developed to detect and contain malicious or counterfeit apps before they have the chance to affect a significant portion of smartphone users.
In the meantime, however, the suggestion is to “do your homework” on each new app before downloading it, including checking the publishing data and reviews, while also keeping your mobile device’s operating system up to date.