Smartphones put the proverbial world in the palm of your hand—you pay with it, play with it, keep in touch with it, and even run parts of your home with it. No wonder hackers and scammers have made smartphones a target. A prime one.
Each year, our Consumer Mobile Threat Report uncovers trends in mobile threats, which detail tricks that hackers and scammers have turned to, along with ways you can protect yourself from them. For 2023, the big trend is apps. Malicious apps, more specifically.
Malicious and fake apps
Malicious apps often masquerade as games, office utilities, and communication tools. Yet now with the advent of a ChatGPT AI chatbot and the DALL-E 2 AI image generator, yet more AI-related malicious apps have cropped up to cash in on the buzz.
And money is what it’s all about. Hackers and scammers generally want your money, or they want your data and personal info that they can turn into money. Creating fraudulent ads, stealing user credentials, or skimming personal information are some of the most common swindles that these apps try. Much of this can happen in the background, often without victims knowing it.
How do these apps end up on people’s phones? Sometimes they’re downloaded from third-party app stores, which may not have a rigorous review process in place to spot malicious apps—or the third-party store may be a front for distributing malware-laden apps.
They also find their way into legitimate app stores, like Apple’s App Store and Google Play. While these stores indeed have review processes in place to weed out malicious apps, hackers and scammers have found workarounds. Sometimes they upload an app that’s initially clean and then push the malware to users as part of an update. Other times, they embed the malicious code so that it only triggers once it’s run in certain countries. They will also encrypt bad code in the app that they submit, which can make it difficult for stores to sniff out.
In all, our report cites several primary ways how hackers and scammers are turning to apps today:
- Sliding into your DMs: 6.2% of threats that McAfee identified on Google during 2022 were in the communication category, mainly malware masqueraded as SMS and messaging apps. But even legitimate communication apps can create an opportunity for scammers. They will use fraudulent messages to trick consumers into clicking on a malicious link, trying to get them to share login credentials, account numbers, or personal information. While these messages sometimes contain spelling or grammar errors or use odd phrasing, the emergence of AI tools like ChatGPT can help scammers clean up their spelling and grammar mistakes, making it tougher to spot scam messages by mistakes in the content. The severity of these Communication threats is also evident in the volume of adults (66%) who have been messaged by a stranger on social media, with 55% asked to transfer money.
- Taking advantage of Bring Your Own Device policies: 23% of threats that McAfee identified were in the app category of tools. Work-related apps for mobile devices are great productivity boosters—categories like PDF editors, VPNs, messaging managers, document scanners, battery boosters, and memory cleaners. These types of apps are targeted for malware because people expect the app to require permissions on their phone. Scammers will set up the app to ask for permissions to storage, messaging, calendars, contacts, location, and even system settings, which scammers to retrieve all sorts of work-related information.
- Targeting teens and tween gamers with phones: 9% of threats that McAfee identified were casual, arcade, and action games. Malicious apps often target things that children and teens like, such as gaming, making videos, and managing social media. The most common types of threats detected within the gaming category in 2022 were aggressive adware—apps that display excessive advertisements while using the app and even when you’re not using it. It’s important to make sure that kids’ phones are either restricted from downloading new apps, or that they’re informed and capable of questioning suspicious apps and identifying fraudulent ones.
How you can avoid downloading malicious and fake apps
For starters, stick with legitimate apps stores like Google Play and Apple’s App Store, which have measures in place to review and vet apps to help ensure that they are safe and secure. And for the malicious apps that sneak past these processes, Google and Apple are quick to remove malicious apps once discovered, making their stores that much safer.
1) Review with a critical eye.
As with so many attacks, hackers rely on people clicking links or tapping “download” without a second thought. Before you download, take time to do some quick research. That may uncover some signs that the app is malicious. Check out the developer—have they published several other apps with many downloads and good reviews? A legit app typically has quite a few reviews, whereas malicious apps may have only a handful of (phony) five-star reviews. Lastly, look for typos and poor grammar in both the app description and screenshots. They could be a sign that a hacker slapped the app together and quickly deployed it.
2) Go with a strong recommendation.
Yet better than combing through user reviews yourself is getting a recommendation from a trusted source, like a well-known publication or from app store editors themselves. In this case, much of the vetting work has been done for you by an established reviewer. A quick online search like “best fitness apps” or “best apps for travelers” should turn up articles from legitimate sites that can suggest good options and describe them in detail before you download.
3) Keep an eye on app permissions.
Another way hackers weasel their way into your device is by getting permissions to access things like your location, contacts, and photos—and they’ll use sketchy apps to do it. So, check and see what permissions the app is requesting. If it’s asking for way more than you bargained for, like a simple game wanting access to your camera or microphone, it may be a scam. Delete the app and find a legitimate one that doesn’t ask for invasive permissions like that. If you’re curious about permissions for apps that are already on your phone, iPhone users can learn how to allow or revoke app permission here, and Android can do the same here.
4) Protect your smartphone with security software.
With all that we do on our phones, it’s important to get security software installed on them, just like we install it on our computers and laptops. Whether you go with comprehensive online protection software that secures all your devices or pick up an app in Google Play or Apple’s App Store, you’ll have malware, web, and device security that’ll help you stay safe on your phone.
5) Update your phone’s operating system.
Together with installing security software, keeping your phone’s operating system up to date can help to keep you protected from most malware. Updates can fix vulnerabilities that hackers rely on to pull off their malware-based attacks—it’s another tried and true method of keeping yourself safe and your phone running great too.
Protecting yourself while using apps
Who can you trust? As for scammers who use legitimate communications apps to lure in their victims, McAfee’s Mobile Research team recommends the following:
- Be suspicious of unsolicited emails, texts, or direct messages and think twice before you click on any links.
- Ensure that your mobile device is protected with security solutions that includes features to monitor and block potentially malicious links, such as the web protection found in our own online protection software.
- Remember that most of these scams work because the scammer creates a false sense of urgency or preys on a heightened emotional state. Pause before you rush to interact with any message that is threatening or urgent, especially if it is from an unknown or unlikely sender.
- If it’s too good to be true, it probably is. Whether it’s a phony job offer, a low price on an item that’s usually expensive, a stranger promising romance, or winnings from a lottery you never entered, scammers will weave all kinds of stories to steal your money and your personal information.
Get the full story with our Consumer Mobile Threat Report
The complete report uncovers yet more mobile trends, such as the top mobile malware groups McAfee identified in 2022, predictions for the year ahead, ways you can keep your children safer on their phones, and ways you can keep yourself safer when you use your phone for yourself and for work.
The full report is free, and you can download it here.