Articles about website spoofing, cybersecurity trends, and how to protect your customers from hackers.
The FBI warns that fraudsters have begun mimicking legitimate mobile apps, injecting them with malicious code, and then distributing them through mobile beta-testing app services. Attackers’ end goal with this scheme is stealing users’ personally identifiable information, accessing financial accounts, or taking over mobile devices.
Brands need to know about this new brand impersonation vector, especially given the FBI deemed the threat serious enough to issue an August 2023 public service announcement titled, “Cyber Criminals Targeting Victims through Mobile Beta-Testing Applications.” The announcement focuses on imposter cryptocurrency apps distributed via beta-testing services, however, developers of mobile apps in any genre may find their users targeted by such scams.
With this article, we hope to spread awareness among people responsible for defending their organization’s brand and reputation online, provide additional details about the threat, and offer recommendations for mitigation.
Mobile app beta-testing services allow a group of users to use and test a nearly finished (i.e., “beta”) version of an app. This helps developers understand how well the app will function in a real-world setting, identify any bugs, and accept suggestions for improvements.
While third-party beta-testing services exist, more well known services include using the Google Play Console and Apple TestFlight. The FBI did not name any specific beta-testing services in the recent announcement, although there have been examples of threat actors distributing similar scams through Apple’s TestFlight.
The FBI warning states that “…beta apps typically are not subject to mobile operating systems’ review processes.” Google claims their review process for both beta apps and apps published on the Google Play Store are the same. In an overview of TestFlight Apple claims that beta versions of apps undergo review as well, however, “A review is only required for the first build of a version and subsequent builds may not need a full review.”
Regardless, malicious apps still make it onto official app stores by circumventing Apple App Store and Google Play Store security reviews. A couple examples of ways to circumvent these reviews include storing malicious code on a remote server that the app doesn’t call on until after the app review process is finalized, or, promoting malicious web applications that can be launched from a mobile device’s home screen, and more.
Even legitimate developers without malicious intentions have used TestFlight to distribute apps that, “…would never be allowed in the App Store, to get around some of Apple’s more-restrictive policies and more-expensive commissions, and to create an app ecosystem that feels smaller and more intimate.”
At a high level, the fraudster typically follows the following steps to exploit beta-testing platforms for distribution of their spoofed mobile apps:
Just about anyone can download a mobile app, and tools exist that allow one to access the source code of those apps and modify it to include malicious functionality. The cyber criminal will use brand names, marketing images, or descriptions matching the legitimate apps in order to create a more convincing spoof (as they would when impersonating brands using fake websites or deceptive social media profiles, posts, and ads).
OWASP (Open Worldwide Application Security Project), a nonprofit foundation that works to improve the security of software, does a good job articulating the impact of tampered mobile apps:
“Great reputational damage could arise in particular for popular apps that get redistributed with malicious code. Even though the app provider can hardly prevent redistribution of a tampered copy of its app, the negative publicity will likely be directed at the original provider. Hence, redistribution of unauthorized copies should be made as difficult as possible for an attacker to reduce the probability of this risk.”
Studies corroborate the harm of this reputational damage:
While protecting your mobile app against “repackaging” does not prevent threat actors from creating spoofed versions of your app; it can increase the time, money and effort required to do so. For technical tips on assessing and mitigating a mobile apps’ vulnerability to these “repackaging” attacks, start with OWASP’s write-up of Insufficient Binary Protection from their list of Top 10 Mobile Risks.
Tips for consumers to protect themselves against the threat of malicious beta versions of mobile apps include but are not limited to:
Tips for brands and organizations that publish mobile apps to protect their reputation and users/customers against the threat of spoofed beta versions of their apps include but are not limited to:
Posted by Sam Bakken