Recently, there have been a number of articles reporting fake apps circulating the Google Play store.
Although these ‘lookalike’ apps have been popping up for years, people are still getting caught out as they are designed to closely mirror the app they are passing off as.
Reputable sites such Google Play and Apple’s App Store have extensive processes in place to prevent malicious applications from being uploaded to their sites, however, these apps have been so convincing that they have managed to sneak through.
These ‘lookalike’ apps are designed to steal private and sensitive information by closely resembling the apps of well-known and trusted brands. The types of apps that are being targeted are commonly found within the banking and retail industries. This, as you can imagine, is because the perpetrators can steal banking details alongside names, addresses, login details and passwords, granting them access to your hard-earned funds.
Quite often the user of the ‘lookalike’ app is unaware they have been targeted.
So, what are the key indicators that the app is fake?
We have put together this quick guide so that you have the knowledge to avoid becoming another cyber attack victim.
How to spot a fake app in the app store
For the purpose of this article,we have taken screenshots from the
Commonwealth Bank of Australia’s listing on the Google Play store on the 26/09/2018
Step 1 – Read the app description
A quick read of the app description will help indicate whether the app is fake or not. If a description contains basic grammatical errors, fake email addresses or sentences that don’t make sense, the likelihood is that it’s a fake app as most reputable companies have teams of copywriters who never make mistakes.
Furthermore, the description should provide a registered ABN and a credit licence if it’s a banking service.
ABN’s are a unique, 11-digit registered code required by the Australian Taxation Office that verifies Australian business names to the government and public. It is a legal requirement that most businesses operating in Australia must utilise for tax and identification purposes.
If the description does not include an ABN and you wish to verify the company, you can search their trading name here.
Step 2 – Read the app reviews
Common practice is for the person leaving the review to provide their name and the date they conducted the review so that the reader can gauge whether real people are using the app and make a decision about downloading it. However, app reviews can be spoofed by automated fake accounts in the favour of the publisher, to get more downloads and climb the rankings in the app store.
Other important identifiers in the review sections are the number of reviews that have been left and if they have similar consistencies.
Be concerned if the scores and comments share the same consistencies (i.e. 5 stars out of 5 for every review), there are little to no reviews or if they look to have been auto-generated. An app from a well-known business is likely to have a high volume of downloads and reviews with varying comments and scores.
RULE OF THUMB: Remember that the number of reviews should reflect the company size. For example, a large Australian bank may have up to ten thousand app reviews. If the number is excessively high or suspiciously low, you should avoid downloading the app.
Step 3 – Read the developer description
Before downloading the app, you should read the developer section because it contains important information that will help you determine if the app is real or fake.
If you are unsure if the developer exists, search their business name and location on Google. For example, if you download the Facebook app, the developer should be Facebook, not ‘FACE BOOK’, ‘Facebook*’ or ‘Sugar Honey Ice Tea Developers’.
Avast security suffered from an attack last year, where the ‘fake app’ was developed by ‘Lose Fat Secret Fitness Pal Avast Avira AVG Clean’.
A real developer description should contain:
- The app developers name
- Who is publishing the app
- A link to the developer’s official website
- An official email address for you to raise any questions or concern
- The developer’s address
Step 4 – Visiting the website of the app you are about to download
By visiting the website of the app you wish to download, you may discover a link to the official app where you will be redirected to the reputable app store of your choosing in a separate tab if you choose to do so.
A second benefit of visiting the website is that they generally post in their information/news section if they are aware of any scams occurring targeting their mobile application users.
Step 5 – Check app permissions
App permission requests are another handy tool which can help you identify fake apps.
For example, if you download a stopwatch app, it would be unusual if the app requests your permission for access to your messages, calls, microphone, camera, location, contacts, etc.
If an app is requesting permission for access to something that you don’t believe that it should, it’s best to avoid it.
Step 6 – Report the site
If you happen to discover a fake app or become suspicious, you should report it.
At the end of the day, the app stores have teams of people who will investigate your request and no real harm can occur as there is an in-depth review in place before they take it down.
Once several reports have been issued for an app, it will be reviewed by the site and removed if it is fake. Official sites will have a policy which the app developer has to abide by and apps that do not adhere will be removed.