Allure Security Navigation Logo

Mobile app fraud is a type of fraud involving the use of mobile applications on a smartphone, tablet, or similar device. Within that, there are many methods and strategies that fraudsters employ to extract sensitive information or funds from their target, including spoofed websites, social engineering, malicious code, inauthentic engagement, and more.

In this article, we’ll provide an overview of mobile app fraud, how it can be perpetrated, and what businesses can do to protect their brand identity on the web. 

At A Glance:

 

Mobile Device Use Drives Greater Fraud Risk

Mobile app fraud continues to be a successful strategy for fraudsters, and likewise its prevalence continues to rise. According to a report from online fraud detection vendor BioCatch, the rate of mobile banking usage increased to 73% in 2023. Unsurprisingly, as more users rely on their mobile devices for banking functions, fraudsters will gravitate towards the channel. Cybercriminals go to where the people are. As a result of this increased usage, Biocatch noted a dramatic rising in fraud schemes involving mobile devices. The rate of mobile fraud compared to other types of fraud rose from 47% in 2022 to 61% in 2023. We can expect this trend to continue as mobile adoption rises and mobile banking becomes consumers’ preferred approach.

 

App and User Vulnerabilities Are Everywhere

Mobile app developers operate in a challenging environment. Once their application is published and downloaded onto mobile devices, it leaves their control. Their application can be reverse engineered by fraudsters, repackaged, and finally republished on app stores to defraud unsuspecting users. The app could also be used on a jailbroken (iOS) or rooted (Android) devices that deactivate security features and could harbor unknown malware. 

The Apple App Store and Google Play Store attempt to weed out malicious, repackaged, and fraudulent  apps on their platform, but the scale of the app stores makes it impossible to catch them all. Third-party Android app marketplaces also number in the hundreds and vetting processes differ (if they exist at all). Further, research shows that 65% of consumers hold a brand responsible for failing to prevent a fraud attack involving impersonation of that brand rather than the fraudster for initiating it. This puts the onus on the company to secure their mobile app and identify any mobile app spoofs online before people download them and the fraud occurs.

 

Impact of Mobile App Fraud on the Business

With the understanding that users will hold the brand responsible for the attack, let’s look at the impact on the business:

  • Negative User Experience: The fraud attack creates a negative user experience and will likely result in user abandonment of the application after an event.
  • Loss of Brand Reputation and Consumer Trust: As more users leave the application, some will criticize the brand publicly up to and including discouraging their friends and colleagues from using the application. This leads to fewer downloads, a smaller user base, and a loss of reputation.
  • Loss of Revenue: Ultimately, if users are leaving the application and fewer people are downloading apps each month, there will be a loss of revenue.

 

Mobile App Fraud Glossary: Fraud Strategy, Fraud Techniques, Important Terms

  • Affiliate Fraud: This form of fraud generates fake commissions from an affiliate marketing program using bots or similar techniques.
  • App Cloning: App cloning is closely related to a repackaging attack, though app cloning may not be necessarily illegal or victimize users. App cloning is the practice of creating an application that very closely mimics the functionality of another legitimate, often successful application. It may or may not have malware, and it may or may not involve intellectual property issues between the clone and original app.
  • Click Flooding: In a click flooding scam, malware continuously sends fabricated click reports to the app stores in the hopes of coincidently corresponding with a legitimate install. When timed correctly, the fraudster receives credit for the download and payment as though they were an advertiser.
  • Click Injection: Click injection scams fabricate genuine user interaction to inflate performance metrics. The app will appear more successful than it truly is, and the fraudster uses this perception to acquire more favorable rates for advertisements within the app.
  • Click Spoofing: Sharing similarities with other click-based fraud, click spoofing simply refers to a malware registering inauthentic clicks from advertisements within an app. A click may or may not actually occur, but the data records will show an inflated number of clicks.
  • Device ID Reset Marathon: This refers to an attack in which the unique identifiers of a mobile device are reset after downloading an application or interacting with a digital ad. To the application, it appears as though new unique users continue to engage with the app. In reality, it is one device continuously performing the same action. Combined with automation or an install farm, this fraud could generate thousands or millions of false engagements.
  • Device Spoofing: By changing the unique signifiers of a device, such as IP address, Media Access Control (MAC) address, or GPS signal, a fraudster can make it appear to websites and applications that the fraudster is using a different device. This is done to bypass device fingerprinting techniques which are used to regulate access to the application from suspicious devices.
  • Inauthentic Engagement: When a user interacts with a mobile app, it is referred to as engagement. The frequency and scale of app engagement determines many other aspects of application success. Inauthentic engagement is when engagement is simulated by bots or disingenuous actors. The activity may occur through legitimate channels, but the intent of the actor is not forthright.
  • Install Fraud: Install fraud is a type of fraud in which apps installed on user devices are wrongfully attributed to a paid advertising campaign. The campaign funds are expended, but the installation is not genuine, resulting in wasted advertisement spend.
  • Location Spoofing: Also called GPS spoofing, this refers to any malware that disrupts or distorts the GPS mechanism of the device. This can be used to circumvent location-based security protocols and gain access to functionality that would normally be restricted. For example, some authentication technology determines the location of an individual before granting access to banking application functions. An incorrect location may bypass this security challenge.
  • Man in the Middle Attacks (MitM): These attacks involve the interception of data as it transmits from one application or device to another. The malware on a users’ device, for example, could collect login credentials as the user opens their banking app.
  • Mobile Banking Trojans: This is a very broad term referring to malicious code and software aimed at stealing financial information from a user by posing as a legitimate interaction or download. Man-in-the-Middle, overlay attacks, and rogue keyboards could all be classified as mobile banking Trojan attacks, to name just a few.
  • Mobile Phishing: This is a form of phishing and social engineering centered on the mobile device. Often called, smishing, mobile phishing involves sending SMS messages in an attempt to trick people into clicking a malicious link. Smishing attacks will employ many of the same strategies as an email phishing attempt, such as creating a sense of urgency. Clicking the link could give the fraudster access to the users’ device or initiate a secret download of spyware. Smishing also makes use of shortened URLs, which can be more difficult to spot as suspicious if the user is not skeptical.
  • Overlay Attacks: These attacks involve malicious code that generates an extra window within an application that covers the real user interface. Users believe to be interacting with a benign message, but when clicking on the overlay window, they are actually divulging information, granting permissions, or sending funds by interacting with the real interface underneath.
  • Proxy Tunneling: In a proxy tunneling scam, malicious apps installed across a large number of devices can be used to create a botnet. Unknown to the users, a controller device is established which issues commands to the bots to perform install fraud.
  • Reverse Engineering: Reverse engineering is the act of analyzing a piece of software to gain an understanding of its functionality. In a cybersecurity context, both security professionals and cybercriminals reverse engineer the other sides’ software. The security professional reverse engineers malware to understand how it succeeded, and cybercriminals reverse engineer legitimate apps in search of vulnerabilities.
  • Repackaging: In a repackaging attack, the fraudster reverse engineers an application, builds in malicious code to enact their fraud scheme, and publishes the application on the Google Play Store, Apple App Store, or third-party mobile app marketplaces. Users will unsuspectingly download the repackaged app, because it will appear and function like the legitimate app.
  • Rogue Keyboards: Mobile application marketplaces offer many applications to swap out the native keyboard for the device. Many are legitimate and simply offer a new aesthetic or preferable functionality. The illegitimate ones are called rogue keyboards. A rogue keyboard possesses either vulnerabilities or was designed as part of a fraud scheme to, for example, record keystrokes that reveal a users banking credentials.
  • Traffic Scam: Much like install fraud, a traffic scam involves a fraudster generating fake website traffic using bots or similar tools. This could involve incentivized traffic, which offers the user a boon for visiting the site or non-incentivized traffic.
  • SIM Swapping: SIM cards are smart chips inserted into mobile devices that include user identities, security keys, and more. Mobile carriers can port over the data on these SIM cards from their backup files upon request by the user. A SIM swapping attack is when a fraudster deceives a mobile carrier by requesting and receiving the SIM of their victim. Typically, this occurs after other credentials are already obtained. So, a SIM swap attack is often preceded by a different security event.

 


Revolutionizing Phishing Defense: Hunting for Phishing

Learn how the next generation of phishing defense is pro-active. Hunt down phishing scams in a systemic, scalable way.

READ MORE


 

What Are Fraudsters After?

There are several potential goals the fraudster is trying to achieve, and these goals often contribute to each other. For example, attacks can be linked. A mobile phishing attempt to acquire login credentials may only be to set up a SIM swap attack at a later date. Some examples of the goals of a mobile app fraud attack include:

  • User data theft: The bad actor desires login credentials, personally identifiable information (PII), purchase history, credit card numbers, search data, corporate records, etc. Any valuable information that can either be sold on the Dark Web or utilized to gain access to another application is a target for fraudsters.
  • Abuse of restricted functionalities: Obtained by deceiving the user into granting permissions or using stolen credentials, this refers to the fraudster gaining the ability to perform functions on an application that would otherwise be restricted. A fraudster sending money with a banking app or opening new bank accounts are examples of this mobile app fraud goal.
  • Market Disruption: A potential goal of mobile app fraudsters would be to disrupt user or advertising data to create a false impression in the marketplace. For example, a device ID reset marathon could exhaust the advertising budget of a competing app by flooding an ad with illegitimate clicks.

 

Protecting Your Brand from Mobile App Fraud

When considering how to protect your brand from mobile app fraud, there are two environments to consider. The first is the app itself. Your application needs to be able to securely operate in unknown and uncontrolled environments. The second is the wider internet marketplace over which you have limited control. Bad actors can spoof your brand and application for their own fraudulent ends. In addition to a secure app, you need an efficient way to manage your brand presence and initiate takedowns of spoofs.

With these two factors in mind, there are several technologies available today that can help prevent mobile app fraud from targeting your users.

  • Mobile App Marketplace Monitoring/Protection: This refers to a solution that combs the internet for copycat or rogue iterations of your applications. By analyzing the brand identity of your application, these tools can locate potential spoofs and notify the team. The best solutions in this space also facilitate the takedown of discovered spoofed applications.
  • Runtime Application Self Protection (RASP): A RASP solution will prevent mobile app fraud in real-time by deactivating the application when the system detects certain actions of qualities to the session. For example, if the RASP system recognizes that the device is jailbroken, it could prevent the application from booting up at all. This also prevents the app from functioning on an emulator or when being run alongside a debugger. Keep in mind that fraudsters can still create and publish unauthorized versions of your mobile app even if you implement RASP in your official app.
  • Application Hardening: This is a general term to describe efforts to strengthen an application against attack by removing vulnerabilities or layering on additional security measures.
  • Risk-based Authentication (RBA): RBA describes an authentication strategy that calibrates the necessary authentication challenge to the level of risk based on a variety of circumstances. In the event of a higher risk or high value transaction, risk based authentication system can apply an additional authentication challenge.
  • Out of Band Authentication: This is a form of two-factor authentication (2FA) which requires the user to authenticate on two distinct channels or devices. For example, when accessing a banking application on a desktop computer, the user may be asked to authenticate using their smartphone or hard token authenticator. This increases the security of the application, because it requires a bad actor to compromise two devices instead of one.
  • Multi-Factor Authentication (MFA): Multi-factor authentication is an authentication strategy that requires the user to present information from two or more of the following categories: something the user knows, something the user has, or something the user is. This is considered strong authentication, because it puts an additional challenge on a would-be fraudster to present more detailed information.
  • Code Obfuscation: Code obfuscation technology is designed to prevent or hamper reverse engineering efforts. It distorts the code, so that it cannot be easily read by bots or human developers.
  • White Box Cryptography: By leveraging encryption and obfuscation, white box cryptography helps prevent attacks from extracting the encryption keys used by the app.

 

OWASP Mobile App Security Levels

The Open Web Application Security Project is an international collection of industry experts, technologists, and security professionals. They released the Mobile App Security Verification Standard (MASVS) to provide application developers with standardized guidance on how much security to build into their application.

Though some level of security protection is advised for all applications, the purpose of the app determines what level of security is necessary. For example, the developer of a fitness app that simply includes videos of workout routines might decide their app requires fewer security controls compared to a banking app. If the fitness video app were compromised, the impact and potential consequences are likely less dire than an application with access to a users’ finances and credit card numbers.

Below, we have included a table outlining the MASVS Security Levels:

MASVS Level Description Typical Applications at this Level
MASVS-L1 This is the baseline security standard. It involves best practices designed to facilitate a convenient user experience, offer some security, and keep development costs low. Meditation appsTool applications like a level or pedometer.All other applications not suited for stronger security
MASVS-L2  Any application that has access to personally identifiable information, financial information, or the ability to move funds should be secured to this level. Subscription-based appsMedical and healthcare applications
MASVS-L1+R The “R” in the next two levels indicates protection against reverse engineering, such as through code obfuscation. Therefore, L1+R applies to applications that do not possess PII yet still require reverse engineering protection. Apps that include intellectual property that needs protection
MASVS-L2+R This level applies to applications that both require reverse engineering protection and also possess the PII of their users. This is the highest level of security recommended by OWASP. Banking apps

WHAT TO DO NEXT

Protecting your users from mobile app fraud is a multi-pronged problem, but the biggest threat to your business is the reputation damage to your brand in the event of a spoof. Learn how Allure Security can prevent fraud before the first victim is ever effected. Request a demo.

Post Date
Author