Cybercriminals clone pirate versions of top Android and iOS apps

Third-party markets now a parallel app universe

Cybercriminals are using third-party app sites to peddle reverse-engineered or 'pirate' versions of almost all the most popular paid apps available on the Google Play and Apple App Stores, software firm Arxan has discovered.

The firm uncovered this parallel app universe in a similar piece of research last year and for 2013 not much appears to have changed.

Looking at a total of 230 apps - the top 100 paid apps and top 15 free apps for Android and iOS - Arxan found that 100 percent of the top paid apps on Android and 56 percent on iOS were being impersonated in a compromised form on grey markets.

For free apps, the analysis found that 73 percent of Android apps in the top 15 existed in a bogus form on third-party stores, slightly worse than the 53 percent for iOS. Arxan also looked at popular financial apps, 20 from each platform, finding that a half of the Android samples existed as hacked versions with a quarter for Android.

"The widespread use of "cracked" apps represents a real and present danger given the explosion of smartphone and tablet use in the workplace and home," said Arxan CTO, Kevin Morgan.

"Not only is IP theft costing software stakeholders millions of dollars every year, but unprotected apps are vulnerable to tampering: either through installed malware or through decompiling and reverse engineering - enabling hackers to analyze code and target core security or business logic that is protecting or enabling access to sensitive corporate data."

Important qualifications should be made when presenting this in terms of the real-world threat. In countries such as the US and UK, third-party stores (aside from dedicated stores such as Amazon's) have a very small market presence. On iOS it is not possible to even use a third-party store unless the device has been jailbroken, which limits the numbers visiting them to a small fringe.

The vast majority of users are unlikely to ever encounter these pirate apps although is also true that Google doesn't exactly have an unblemished record at keeping bogus knock-off apps out of its own store.

Still, Arxan had detected that some of the grey apps had been downloaded half a million times, most probably to smartphones in countries where third-party sites have a stronger cultural presence.

"[This] gives a sense of the magnitude of the problem especially as we embark upon a season of high consumer activity that will involve payment transactions, and consumption of products and services via the mobile endpoint," said Morgan.

Arxan's larger message is really for app developers themselves, which it said should resist reverse engineering by deploying code protection technology to defeat static and runtime attacks. Pirated apps depended on being able to replicate legitimate apps so this form of security was essential, he said.

"The challenge for greater mobile application security remains significant and core recommendations for improving mobile application security need to be integrated early in the application development lifecycle and made a key component of any mobile first strategy."

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleMobile &ampPersonal TechGoogleNetworkingsecuritywireless

More about Amazon Web ServicesAppleGoogleMorgan

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts