Pirated Android apps are only part of the problem

The DOJ has shut down sites accused of distributing pirated apps, but there are worse things you can download from third-party app stores.

The United States Department of Justice (DOJ) has seized three websites for alleged copyright violations. The sites are accused of illegally distributing Android apps. When dealing with third-party mobile app sites, though, pirated apps may be the least of your worries. The more pressing concerns: your privacy and security.

One of the defining features of Android is its "openness". In contrast to other mobile platforms, Google's Android ecosystem allows users much more latitude in customizing the mobile device itself. It also enables users to acquire apps from a variety of sources outside of the official Google Play store.

In the case of the websites targeted by the DOJ, Android's openness simply means that users may be unknowingly buying illegal, pirated apps. However, the lack of a review process, or any sort of curating of the apps by a trusted source also means that it's much easier for malicious apps to be distributed as well.

Just this week a new piece of Android malware was found to be infecting an estimated 500,000 devices. SMSZombie steals money via fraudulent SMS payments, and is exceptionally difficult to remove. The malware was downloaded from third-party Android app sites by users who believed they were downloading a benign wallpaper app.

Apple more or less pioneered the concept of the app store. In fact, it has engaged in trademark litigation against Amazon claiming that it owns the right to the very term "app store". One thing that sets Apple apart from Android when it comes to apps is that legitimate apps can only be acquired from the official Apple App Store, and those apps must all be reviewed and approved by Apple before being made available to the public.

There are rogue third-party app sites for Apple devices as well, but they only work with jailbroken iOS devices. Jailbreaking essentially removes the restrictions and limitations on the device--enabling it to download apps from outside of the Apple App Store. However, it also removes security controls and opens the iOS device up to potential malware attacks or compromise from malicious apps.

Amazon has its own Android app store, which straddles the line between Android's openness and Apple's "walled garden". The apps distributed by Amazon are reviewed, so the apps are ostensibly safe, and users can download them with greater confidence.

Curated or not, though, no app store is invulnerable to malicious apps. Respected security researcher Charlie Miller demonstrated that even the Apple App Store is vulnerable by sneaking an app with a malicious payload past the Apple reviewers. He's not the only one, either.

It makes sense to exercise some discrimination when acquiring apps. First, only shop at or download from sites that seem credible and reasonably safe in the first place. Second, check out the reviews for apps, and stay away from shady apps or apps with an abundance of negative reviews.

Most importantly, though, users need to recognize that mobile devices--whether smartphones or tablets--are essentially just mobile computers. Attackers have taken notice and new threats against mobile devices are being discovered at an alarming rate.

You should use the security controls available on the mobile device itself, and make sure you use some sort of antimalware or security tools to protect your mobile devices, and your traditional PCs from malware threats and other attacks.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Charles Ripley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts