Mobile app fraud involves the use of mobile applications on a smartphone, tablet, or similar device.
Within that, fraudsters employ many methods and strategies to extract sensitive information or funds from their target, including spoofed websites, social engineering, malicious code, inauthentic engagement, and more.
Mobile Device Use Drives Greater Fraud Risk
Mobile app fraud continues to be a successful strategy for fraudsters, and likewise, its prevalence continues to rise.
According to a report from online fraud detection vendor BioCatch, the rate of mobile banking usage increased to 73% in 2023.
Unsurprisingly, more users rely on their mobile devices for banking functions. Fraudsters gravitate towards this channel, and cybercriminals go where the people are. As a result of this increased usage, Biocatch noted a dramatic rise in fraud schemes involving mobile devices. Compared to other types of fraud, the mobile fraud rate rose from 47% in 2022 to 61% in 2023.
We expect this trend to continue as mobile adoption rises and mobile banking becomes consumers’ preferred approach.
APP AND USER VULNERABILITIES ARE EVERYWHERE
Impact of Mobile App Fraud on the Business
With the understanding that users will hold the brand responsible for the attack, let’s look at the impact on the business:
The fraud attack creates a negative user experience and will likely result in user abandonment of the application after an event.
As more users leave the application, some will criticize the brand publicly up to and including discouraging their friends and colleagues from using the application. This leads to fewer downloads, a smaller user base, and a loss of reputation.
Ultimately, if users are leaving the application and fewer people are downloading apps each month, there will be a loss of revenue.
Mobile app developers operate in a challenging environment. Once their application is published and downloaded onto mobile devices, it leaves their control.
Fraudsters can reverse-engineer applications, repackage, and finally republish on app stores to defraud unsuspecting users.
The app could also be used on jailbroken (iOS) or rooted (Android) devices that deactivate security features and may harbor unknown malware.
The Apple App Store and Google Play Store attempt to weed out malicious, repackaged, and fraudulent apps on their platform, but the scale of the app stores makes it impossible to catch them all.
Third-party Android app marketplaces also number in the hundreds, and vetting processes differ.
Further, research shows that 65% of consumers hold a brand responsible for failing to prevent a fraud attack involving impersonation of that brand. This puts the onus on the company to secure their mobile app and identify any mobile app spoofs online before people download them and the fraud occurs.
Mobile App Fraud Glossary: Fraud Strategy, Fraud Techniques, Important Terms
This form of fraud generates fake commissions from an affiliate marketing program using bots or similar techniques.
App cloning is similar to a repackaging attack. However, app cloning is not always illegal and may not harm users. App cloning is the process of making an app that closely resembles another real and often popular app. It might have malware, and there could be issues with intellectual property between the clone and the original app.
In a click flooding scam, malware continuously sends fabricated click reports to the app stores in the hopes of coincidently corresponding with a legitimate install. When timed correctly, the fraudster receives credit for the download and payment as though they were an advertiser.
Click injection scams fabricate genuine user interaction to inflate performance metrics. The app will appear more successful than it truly is, and the fraudster uses this perception to acquire more favorable rates for advertisements within the app.
Sharing similarities with other click-based fraud, click spoofing simply refers to a malware registering inauthentic clicks from advertisements within an app. A click may or may not actually occur, but the data records will show an inflated number of clicks.
This refers to an attack in which the unique identifiers of a mobile device are reset after downloading an application or interacting with a digital ad. To the application, it appears as though new unique users continue to engage with the app. In reality, it is one device continuously performing the same action. Combined with automation or an install farm, this fraud could generate thousands or millions of false engagements.
By changing the unique signifiers of a device, such as IP address, Media Access Control (MAC) address, or GPS signal, a fraudster can make it appear to websites and applications that the fraudster is using a different device. This is done to bypass device fingerprinting techniques which are used to regulate access to the application from suspicious devices.
When a user interacts with a mobile app, it is referred to as engagement. The frequency and scale of app engagement determines many other aspects of application success. Inauthentic engagement is when engagement is simulated by bots or disingenuous actors. The activity may occur through legitimate channels, but the intent of the actor is not forthright.
Install fraud is a type of fraud in which apps installed on user devices are wrongfully attributed to a paid advertising campaign. The campaign funds are expended, but the installation is not genuine, resulting in wasted advertisement spend.
Also called GPS spoofing, this refers to any malware that disrupts or distorts the GPS mechanism of the device. This can be used to circumvent location-based security protocols and gain access to functionality that would normally be restricted. For example, some authentication technology determines the location of an individual before granting access to banking application functions. An incorrect location may bypass this security challenge.
These attacks involve the interception of data as it transmits from one application or device to another. The malware on a users’ device, for example, could collect login credentials as the user opens their banking app.
This is a very broad term referring to malicious code and software aimed at stealing financial information from a user by posing as a legitimate interaction or download. Man-in-the-Middle, overlay attacks, and rogue keyboards could all be classified as mobile banking Trojan attacks, to name just a few.
This is a form of phishing and social engineering centered on the mobile device. Often called, smishing, mobile phishing involves sending SMS messages in an attempt to trick people into clicking a malicious link. Smishing attacks will employ many of the same strategies as an email phishing attempt, such as creating a sense of urgency. Clicking the link could give the fraudster access to the users’ device or initiate a secret download of spyware. Smishing also makes use of shortened URLs, which can be more difficult to spot as suspicious if the user is not skeptical.
These attacks involve malicious code that generates an extra window within an application that covers the real user interface. Users believe to be interacting with a benign message, but when clicking on the overlay window, they are actually divulging information, granting permissions, or sending funds by interacting with the real interface underneath.
In a proxy tunneling scam, malicious apps installed across a large number of devices can be used to create a botnet. Unknown to the users, a controller device is established which issues commands to the bots to perform install fraud.
Reverse engineering is the act of analyzing a piece of software to gain an understanding of its functionality. In a cybersecurity context, both security professionals and cybercriminals reverse engineer the other sides’ software. The security professional reverse engineers malware to understand how it succeeded, and cybercriminals reverse engineer legitimate apps in search of vulnerabilities.
In a repackaging attack, the fraudster reverse engineers an application, builds in malicious code to enact their fraud scheme, and publishes the application on the Google Play Store, Apple App Store, or third-party mobile app marketplaces. Users will unsuspectingly download the repackaged app, because it will appear and function like the legitimate app.
Mobile application marketplaces offer many applications to swap out the native keyboard for the device. Many are legitimate and simply offer a new aesthetic or preferable functionality. The illegitimate ones are called rogue keyboards. A rogue keyboard possesses either vulnerabilities or was designed as part of a fraud scheme to, for example, record keystrokes that reveal a users banking credentials.
Much like install fraud, a traffic scam involves a fraudster generating fake website traffic using bots or similar tools. This could involve incentivized traffic, which offers the user a boon for visiting the site or non-incentivized traffic.
SIM cards are smart chips inserted into mobile devices that include user identities, security keys, and more. Mobile carriers can port over the data on these SIM cards from their backup files upon request by the user. A SIM swapping attack is when a fraudster deceives a mobile carrier by requesting and receiving the SIM of their victim. Typically, this occurs after other credentials are already obtained. So, a SIM swap attack is often preceded by a different security event.
What Are Fraudsters After?
- User data theft: The bad actor desires login credentials, personally identifiable information (PII), purchase history, credit card numbers, search data, corporate records, etc. Any valuable information that can be sold on the Dark Web or utilized to gain access to another application is a fraudster’s target.
- Abuse of restricted functionalities: When a fraudster deceives the user into granting permissions or uses stolen credentials, they gain the ability to perform actions on an application that would otherwise be restricted. A fraudster sending money with a banking app or opening new bank accounts are examples of this mobile app fraud goal.
- Market Disruption: A potential goal of mobile app fraudsters is to manipulate user or advertising data to create a misleading impression in the marketplace. For instance, a “device ID reset marathon” could deplete the advertising budget of a competing app by inundating it with illegitimate clicks.
Protecting Your Brand from Mobile App Fraud
When considering how to protect your brand from mobile app fraud, there are two environments to consider. The first is the app itself. Your application needs to be able to securely operate in unknown and uncontrolled environments. The second is the wider internet marketplace over which you have limited control. Bad actors can spoof your brand and application for their own fraudulent ends. In addition to a secure app, you need an efficient way to manage your brand presence and initiate takedowns of spoofs.
With these two factors in mind, there are several technologies available today that can help prevent mobile app fraud from targeting your users.
- Mobile App Marketplace Monitoring/Protection: This refers to a solution that combs the internet for copycat or rogue iterations of your applications. By analyzing the brand identity of your application, these tools can locate potential spoofs and notify the team. The best solutions in this space also facilitate the takedown of discovered spoofed applications.
- Runtime Application Self Protection (RASP): A RASP solution will prevent mobile app fraud in real-time. It deactivates the application when the system detects certain actions with specific qualities. For example, if the RASP system recognizes that the device is jailbroken, it could prevent the application from booting up. This also prevents the app from functioning on an emulator or when being run alongside a debugger. Keep in mind that fraudsters can still create and publish unauthorized versions if you implement RASP in your official app.
- Application Hardening: This is a general term to describe efforts to strengthen an application against attack. It removes vulnerabilities or layers on additional security measures.
- Risk-based Authentication (RBA): RBA describes an authentication strategy that calibrates the necessary authentication challenge to the level of risk. In the event of a higher risk or high value transaction, risk based authentication system can apply more stringent authentication challenges.
- Out of Band Authentication: This is a form of two-factor authentication (2FA) which requires the user to authenticate on two distinct channels or devices. For example, when accessing a banking application on a desktop, the user may be asked to authenticate using their smartphone. This increases the security of the application, since it requires a bad actor to compromise two devices instead of one.
- Multi-Factor Authentication (MFA): Multi-factor authentication is an authentication strategy where the user must present information from two or more of the following categories: something the user knows, the user has, or the user is. This is considered strong authentication, because it puts an additional challenge on a would-be fraudster to present more detailed information.
- Code Obfuscation: Code obfuscation technology is designed to prevent or hamper reverse engineering. It distorts the code decreasing the readability by bots or human developers.
- White Box Cryptography: By leveraging encryption and obfuscation, white box cryptography helps prevent attacks from extracting the encryption keys used by the app.
OWASP Mobile App Security Levels
The Open Web Application Security Project is an international collection of industry experts, technologists, and security professionals. They released the Mobile App Security Verification Standard (MASVS) to provide application developers with standardized guidance on how much security to build into their application.
Though some level of security protection is advised for all applications, the purpose of the app identifies the level of security required. For example, the developer of a fitness app that simply includes videos of workout routines might decide their app requires fewer security controls. In contrast, a banking app will require more. If the fitness video app were compromised, the impact and potential consequences are likely less dire than an application with access to a users’ finances and credit card numbers.
Below, we have outlined the MASVS Security Levels
This is the baseline security standard. It involves best practices designed to facilitate a convenient user experience, offer some security, and keep development costs low.
Use case:
Meditation appsTool applications like a level or pedometer.All other applications not suited for stronger security
Any application that has access to personally identifiable information, financial information, or the ability to move funds should be secured to this level.
Use case:
Subscription-based appsMedical and healthcare applications
The “R” in the next two levels indicates protection against reverse engineering, such as through code obfuscation. Therefore, L1+R applies to applications that do not possess PII yet still require reverse engineering protection.
Use case:
Apps that include intellectual property that needs protection
This level applies to applications that both require reverse engineering protection and also possess the PII of their users. This is the highest level of security recommended by OWASP.
Use case:
Banking apps
Related Articles
-
Diamond Bank Addresses Spoof WebsitesDiamond Bank is a community bank with 14 branches and thousands of customers...
-
Credit Union Supercharges Takedown CampaignsDo-It-Yourself Takedown Struggles A credit union based in the southern United States supports...
-
Fraudsters Steer Clear of Federal Credit UnionSleepless Nights and Overburdened IT Teams A federal credit union managing $3.06 billion...
-
SharkBot Trojan Embedded in Mobile Banking ApplicationDuring a recent partner mobile malware scan, Allure Security identified a rogue mobile...
-
How to Remove Spoof Mobile ApplicationsTo remove rogue mobile applications (an unauthorized version of your mobile app) from...
-
Zelle Scams: How to Protect Your Customers and BrandsSince its launch, the peer-to-peer payment app Zelle has gained immense popularity. In...