One thing is certain: cloning an application is a child’s play for cyber-criminals.
Fake apps (or clones) are Android or iOS mobile applications that mimic to some extend the look and features of an official app while hiding malicious, intrusive or lucrative activities.
Some operations can be benign, like massive advertising in order to make profit. In other cases, they could be more harmful retrieving monetizable data from the end-user’s device or introducing a malware (banking trojan, keylogger, ransomware, etc.).
This article will introduce the reasons of the proliferation of clones of applications and why they are so easy to build for a lambda cyber-criminal.
Reverse engineering always wins
The first step to build a fake app is to comprehend the original code. Android applications are a prime target as only the APK file is needed to revert back the app into a human-readable code. Any web search easily provide tools to revert applications to an understandable form. Only a few manipulations are required to have a clear view in the main functionalities of the app.
From there, it is very easy to add pretty much anything within the app: an advertising library, a malware, ask for more permissions and harvest personal data…
Surely an app that has been obfuscated will be more difficult to tamper. But quoting the Mobile Security Testing Guide from the OWASP Foundation: “the reverse engineer always wins”. If developers try to make the task as difficult as possible using stealthy anti-tampering, cryptography etc., it is a race forward where hackers will at a point in time overcome barriers.
An easy way in
Almost, not to say all applications, are embedding libraries. There are plenty of wildly used ones for advertising, login…
Let’s take a closer look at a precise use case of malicious code tampering by focus on advertising libraries. Today, a huge number of mobile apps embed ads to make profit, and especially the free ones. Knowing the targeted library, the criminal can locate the calling functions where the identifier of the ad to be promoted is set. It is then very easy to insert their own identifier, repackage the application and try to promote it. Making it more malicious, it could request more permissions at the app launch and then exfiltrate sensitive data (call logs, contact list, corporate files…).
Other king of libraries such as login ones could be diverted to trick the user into providing its credentials.
Finally, clones of app are distributed through multiple ways: third-party app stores, social engineering campaigns, phishing, etc. but also on stores.
A recent study from Cybernews uncovered a hundred of applications released on the Google store and totalizing 69 million installs to be clones. Security checks done by stores security systems, only verify that there is no known malware embed in the app to prevent the expansion of famous trojans, ransomwares etc. Any shady library exfiltrating personal data or abusive permissions asking will not be detected and thus remain invisible to the user.
Why users turn away from stores?
The previous example demonstrate stores are not free from clones. But users are also willingly retrieving clones from third party stores without considering the consequences. In fact, it could be tempting to get an application with no advertising, premium features or download the latest unreleased game from a third-party store (like it happened when the game “Fortnite” was not available publicly).
Therefore, from what has been demonstrated hereabove, hackers only have to pick trendy apps and unlock a few features to ensure their success on side stores.
How to protect my application from cloning?
Having your own corporate application cloned and spread in the wild can lead to serious reputation and trust issues from partners and end-users. It is almost impossible to prevent someone to reverse engineer your app to create a fake one.
Pradeo research and development team worked on that matter and elaborated a unique in-app shielding mechanism to thwart targeted attacks and prevent cloning activities. The technique ensures both the company and end-users not to be misled by a clone.
Contact us to have more information in this brand-new capability.