Fraudulent trading apps in Apple and Google app stores - Mobile Security Briefing 2023.102

Sophos released some great analysis last month on fraudulent trading apps in Apple and Google app stores.

What really caught my interest was how the apps passed the app approval processes at both Apple and Google. As a mobile security researcher, I’ve long known that the review processes on both the App Store and Play Store are no substitute for bespoke mobile app security and privacy testing (full disclosure: I’m the co-founder of NowSecure). But what’s interesting here is how the apps evaded the review processes.

Their apps loaded content from a backend service…a very common practice in modern development. However, that makes it very simple for a malicious entity to present an innocuous interface during the review process and then after they are listed, swap in the fraudulent interface.

In this instance, the fraudulent interface allowed for crypto trading and the attackers would actually return money to the victims early in the process. But as the victim became more confident they could make significant money, the trap was sprung and victims lost thousands of dollars. These attacks were a sophisticated because they involved app development, evading Apple and Google, swapping out backends and a coordinated, multi-stage attack involving social engineering, fake profiles, money collection, logistics and more.

The path forward for Apple and Google certainly is challenging. So many apps, nearly all of which are legitimate, rely on the ability for a backend service to serve up the user interface and content to a mobile app. So I don’t see a viable path to remove dynamic content without massive upheaval. Perhaps more rigorous vetting is required on certain types of apps…but then again these apps didn’t all present as trading apps.

In the end, the solution might have to focus more on continuous vetting. While it’s no small undertaking, there is so much at risk not only for victims but for the companies and trust in their platforms. And, last time I checked, both companies make significant revenue off their mobile app stores so additional investment in security is privacy is well within their reach.