“This shows how hard it is for users to stay safe,” the CEO of mobile security firm Upstream warns. The company is about to publish a report into the Android threat landscape. The data is staggering. The company has unearthed 98,000 “malicious apps,” which have infected 43 million devices. The worst-5 apps, Dimitris Maniati tells me, have been downloaded 700 million times, “this shows the scale of the issue.”
And that risk is accelerating. That number of malicious apps is up 50% in the last year, and shows every sign of spiralling out of control.
This can now be viewed as an endemic problem with mobile apps downloaded from Google’s Play Store—despite Google Protect and the App Defense Alliance. Some 50% of the bad apps exposed by Upstream “were or are” in the official Play Store. Countless stories have been written about the hundreds of malicious apps with hundreds of millions of installs. The key question is what is the scale of the issue?
Upstream has collated the data from its Secure-D security platform, data collected by 31 different network operators across 20 different countries, data representing the devices 0f almost 700 million different users.
In its report, Upstream explains the methods by which users are enticed to install malicious malware and then grant a raft of permissions that goes way beyond what is required for the app’s claimed purpose. That malware then communicates with its controllers, seeking instructions and content to operate. The apps are designed to remain hidden, not arousing suspicion, avoiding an uninstall.
The primary issue with mobile malware is advertising or click fraud. Trivial apps that pull unwanted ads onto devices to run in the background or as a foreground nuisance. For advertisers, this results in millions of dollars of fraudulent charges. For users, the issue is degraded performance, drained batteries and huge data bills. There is also the issue that such apps can lead to devices being infected with more dangerous malware.
And that adware is out of control. In its report, Upstream says that an extraordinary 93 percent of mobile transactions “were blocked as fraudulent in 2019.” That equates to 1.6 billion transactions that would have resulted in $2 billion in fraudulent charges if left unchecked. And the issue is quickly getting worse—the 98,000 bad apps detected last year compares to 63,000 the year before.
Last year, a report by Juniper research estimated that the total losses from digital advertising fraud has spiralled from $35 billion in 2018 to $42 billion last year. The problem, the report says, will continue to grow, reaching $100 billion by 2023, as “fraudsters gravitate to advanced techniques such as spoofing advertising networks to falsify ad clicks and displayed ads, rather than labour-intensive activities.”
Mobile malware means money. And adware is the fastest route to that money. The system enables what is essentially a mass criminal enterprise, with networks of bad actors sharing code and know-how. The more dangerous forms of malware spin out of the same misery factories, they are traded on the same black markets, coded by the same teams. But adware is currently a money machine, and it’s dominating.
“The distinguishing line between adware and more potent malware is quite blurred,” Maniati says. “More often ad fraud is just an easy and lucrative funding mechanism for the operation and propagation of a malicious application. By design both kinds rely on their ability to receive and execute instructions as dictated remotely by the controlling bad actor and without requiring the app to be updated by the user on the device. So whose to say what the next set of instructions will be?”
Upstream’s report essentially shines a light on a mass fraud targeting tens, even hundreds of millions of devices at a time. “The means to stop them in their tracks need to likewise operate at scale—it requires a concerted approach… Google, handset manufacturers, operators, app developers, advertisers, publishers and technology providers need to recognize the scale of the problem and tackle it head-on.”
In the meantime, Maniati suggests users pay attention to apps pre-installed on their devices, especially if those device are budget models. If you insist on installing trivial apps from unknown developers, check the reviews, the permissions, and if the app doesn’t appear legitimate in any way, delete it immediately. While the official Play Store is much safer than the alternatives, beware that half of the “most active malicious apps” detected by Upstream last year were on the official store.
The safest way to protect yourself from trivial apps you don’t need, developed by software outfits you don’t know, is to avoid the temptation to install them in the first place. Once you let bad apps onto your device, your wallet and your data are at risk.