The FBI warns that fraudsters have begun mimicking legitimate mobile apps, injecting them with malicious code, and then distributing them through mobile beta-testing app services. Attackers’ end goal with this scheme is stealing users’ personally identifiable information, accessing financial accounts, or taking over mobile devices.
Brands need to know about this new brand impersonation vector, especially given the FBI deemed the threat serious enough to issue an August 2023 public service announcement titled, “Cyber Criminals Targeting Victims through Mobile Beta-Testing Applications.” The announcement focuses on imposter cryptocurrency apps distributed via beta-testing services, however, developers of mobile apps in any genre may find their users targeted by such scams.
With this article, we hope to spread awareness among people responsible for defending their organization’s brand and reputation online, provide additional details about the threat, and offer recommendations for mitigation.
What are mobile beta-testing applications (apps)?
Mobile app beta-testing services allow a group of users to use and test a nearly finished (i.e., “beta”) version of an app. This helps developers understand how well the app will function in a real-world setting, identify any bugs, and accept suggestions for improvements.
While third-party beta-testing services exist, more well known services include using the Google Play Console and Apple TestFlight. The FBI did not name any specific beta-testing services in the recent announcement, although there have been examples of threat actors distributing similar scams through Apple’s TestFlight.
Understanding the threat of counterfeit mobile apps distributed via mobile beta-testing app platforms
The FBI warning states that “…beta apps typically are not subject to mobile operating systems’ review processes.” Google claims their review process for both beta apps and apps published on the Google Play Store are the same. In an overview of TestFlight Apple claims that beta versions of apps undergo review as well, however, “A review is only required for the first build of a version and subsequent builds may not need a full review.”
Regardless, malicious apps still make it onto official app stores by circumventing Apple App Store and Google Play Store security reviews. A couple examples of ways to circumvent these reviews include storing malicious code on a remote server that the app doesn’t call on until after the app review process is finalized, or, promoting malicious web applications that can be launched from a mobile device’s home screen, and more.
Even legitimate developers without malicious intentions have used TestFlight to distribute apps that, “…would never be allowed in the App Store, to get around some of Apple’s more-restrictive policies and more-expensive commissions, and to create an app ecosystem that feels smaller and more intimate.”
Anatomy of a spoofed beta app scheme
At a high level, the fraudster typically follows the following steps to exploit beta-testing platforms for distribution of their spoofed mobile apps:
- Download the target mobile app
- Copy or modify the app to include malicious code within it
- Upload the spoofed app to a mobile beta-testing app platform
- Distribute links to the spoofed app located on a mobile beta-testing app platform
Just about anyone can download a mobile app, and tools exist that allow one to access the source code of those apps and modify it to include malicious functionality. The cyber criminal will use brand names, marketing images, or descriptions matching the legitimate apps in order to create a more convincing spoof (as they would when impersonating brands using fake websites or deceptive social media profiles, posts, and ads).
Costs of fake mobile apps impersonating trusted brands
OWASP (Open Worldwide Application Security Project), a nonprofit foundation that works to improve the security of software, does a good job articulating the impact of tampered mobile apps:
“Great reputational damage could arise in particular for popular apps that get redistributed with malicious code. Even though the app provider can hardly prevent redistribution of a tampered copy of its app, the negative publicity will likely be directed at the original provider. Hence, redistribution of unauthorized copies should be made as difficult as possible for an attacker to reduce the probability of this risk.”
Studies corroborate the harm of this reputational damage:
- 63 percent of consumers hold an impersonated brand responsible for spoofs
- 66 percent change their online purchasing behaviors as a result of fraud
- 33 percent will leave a brand as a result of fraud
- See our costs of online brand impersonation infographic for more relevant statistics
While protecting your mobile app against “repackaging” does not prevent threat actors from creating spoofed versions of your app; it can increase the time, money and effort required to do so. For technical tips on assessing and mitigating a mobile apps’ vulnerability to these “repackaging” attacks, start with OWASP’s write-up of Insufficient Binary Protection from their list of Top 10 Mobile Risks.
Actions to combat spoofed mobile apps distributed via mobile beta-testing app platforms
Tips for consumers to protect themselves against the threat of malicious beta versions of mobile apps include but are not limited to:
- Follow the recommendations provided in the FBI bulletin: In this context especially, do your homework in terms of verifying app developers and evaluating customer reviews before downloading – though less information is typically available when it comes to beta testing programs
- Decide whether beta-testing mobile apps is truly for you: Yes, beta-testing can be fun, but at best you’ll experience a sub-par experience with new features and at worst you could get scammed.
- While not failsafe, only download apps from official sources and use only official beta testing channels: Read more about joining early access or beta programs for Android apps or testing iOS apps with TestFlight.
- Apply scrutiny to any public beta testing links: And scrutinize the details of any beta information sent to you. Verify that the listed developer is in fact whom you expect it to be and that the developer’s e-mail address and developer website direct to legitimate sources. If you don’t feel confident in your ability to identify a scam in this context, see tip number 2.
Tips for brands and organizations that publish mobile apps to protect their reputation and users/customers against the threat of spoofed beta versions of their apps include but are not limited to:
- Consider using only official programs for beta-testing consumer-facing versions of your mobile apps: Options available include setting up tests in Google Play Console or Apple App Store Connect TestFlight.
- Clearly and publicly communicate your mobile beta testing program (or lack of): If you do offer beta testing, make it clear on your website and via other channels how users can sign-up, what communication channels the program employs, and where to report suspicious beta-testing versions and messages, etc. If you do not offer a beta-testing program for your mobile apps, clearly communicate this as well.
- Discuss your mobile app’s security with your development team (or third party developer) and security teams: While even properly protected apps can stil be spoofed, ask about what security controls are implemented in your mobile app to prevent cloning.
- Use beta app discovery engines to look for versions of your app that you may not be aware of: While tools such as Airport exist to help people find TestFlight apps, the breadth and depth of their visibility is lacking. Plus, you or your staff have better things to do than conduct manual searches – which brings us to our final recommendation…
- Hire an online brand protection expert to monitor for spoofed or unauthorized versions of your mobile app no matter where they reside: Vendors such as Allure Security offer AI-powered monitoring for counterfeit mobile apps impersonating your brand and expert, in-house takedown services to eliminate spoofed versions of your mobile apps before your customers fall victim to them.
WHAT YOU SHOULD DO NEXT
- Contact us if your users have been targeted by fake beta versions of your mobile app or you’re concerned about the threat of mobile app spoofs impersonating your brand, so we can help you think through mitigation actions
- Read our blog post about expectations that Apple will allow the installation of apps from third-party sources with iOS 17 and the associated risks to brands that publish mobile apps
- Bulk up your brand defense muscles with our free Busy Person’s Guide to Online Brand Protection
