Last February, some potentially malicious apps that could be used as spy tools were identified by CBS News, who gave some needed tips and warnings designed to mitigate the consumer rush to download the avalanche of mobile apps flooding the marketplace. Specifically, the warning was aimed at those downloading popular free apps for Android phones and iPhones – 75 to 80 percent of which had been breached, said CBS News. Ironically, the number of potentially malware-infected apps jumps to as high as 97 percent among the top paid apps on iPhones and Androids.
No matter if they are proffered by unscrupulous advertisers or black hat hackers looking to steal your private information, awareness and discernment are everything when searching for mobile app downloads. Case in point: California resident Susan Harvey reported over $5,000 in unauthorized transactions after she bought a slot machine game app through Google Play.
“It was something you purchased once, for like $15,” Harvey said.
When she went to reload the game, she found hundreds of unauthorized purchases had been made. “My heart sank, I just sat there looking at it… I was physically sick, because I didn’t know what they were,” Harvey said.
Susan Harvey’s story’s no surprise to cybersecurity expert Gary Miliefsky, whose company tracks malware. He said certain apps are designed to steal your personal information.
When asked what the potential consequences for consumers are, should they download a malicious app, Miliefsky replied, “You’re going to lose your identity. You’re going to wonder why there was a transaction. You’re going to wonder how someone got into your bank account and paid a bill that doesn’t exist.”
Milifesky added that when you download an app, you also give permission for it to access other parts of your phone, like an alarm clock app that can also track your phone calls. He explains that an alarm clock doesn’t need all those permissions, intrinsically. It doesn’t need to access to the Internet over Wi-Fi, or your call information, recent calls you’ve made, call history, or your device ID.
“This to me is not a safe alarm clock,” Miliefsky said.
And there’s the weather and flashlight apps that Miliefsky says exploit legitimate banking apps to capture information, which can happen when someone takes a photo of a check to send to their bank.
“The flashlight app spies on the camera and notices the check and grabs a copy of it, then ships it off to a server somewhere far away,” Miliefsky said.
Last year the group FireEye discovered eleven malware apps being used on iPhones that gathered users’ sensitive information and sent it to a remote server, including text messages, Skype calls, contacts and photos. Apple fought back by removing the apps and putting stricter security measures in place.
“They get at your GPS, your contacts list…to build a profile on you,” Miliefsky warned.
Some apps, though, are simply collecting information for advertising and marketing purposes. In 2014, the Federal Trade Commission settled a lawsuit with a company over its popular Brightest Flashlight app, alleging it transmitted consumers’ personal information to third parties without telling them. But Miliefsky said he’s found another flashlight app that can do much more troubling things.
“This one turns on your microphone in the background, listens in on you, and sends an encrypted tunnel to a server we discovered in Beijing,” Miliefsky recounted.
Miliefsky relates that they’re actually listening to people’s conversations and sending that audio back to Beijing.
“We’ve tracked it. I can show you where it does it,” he said. Miliefsky said it can be traced to a few blocks from Tiananmen Square on Information Drive in Beijing. And, he actually gave a report on that app to the FBI.
Miliefsky calls it “spyware at the nth degree,” and makes a pointed recommendation that, ”We really have to look at our phones and say, ‘This is really a personal computer that fits in our pocket. Let’s shut down all the apps we don’t use. Let’s delete apps that don’t make sense and reduce the risk of being spied on.’”
The creator of the Brightest Flashlight app ended up settling with the FTC, agreed to change his company’s policy, and delete all the unauthorized information it had gathered.
Susan Harvey sued Google over her alleged hack, but a judge recently dismissed it, saying she and her attorney filed too late. Google said fewer than one percent of Android devices got bad apps in 2014 – which is still a considerable number when you consider that there are now roughly 1.5 billion Android devices in use globally.
If you are concerned about safe mobile app downloading and usage and need help, you should consider a consultation with Computer Rescue , a leader in IT consulting, services, and management. Call us at (403) 686-4567 or email us at firstname.lastname@example.org and we will be happy to help you with any questions or concerns you may have.