Showcase Instances: How Hackers Distribute Spyware through App Stores

Cybercriminals can distribute spyware through the official App Store and Google Play, experts have warned about this. The attackers disguise their own malicious software as useful services, and after installing it, they steal both personal data and money from the victims. For more information about how hackers spread digital spies through app stores, how to recognize malware, and what to do if you have already downloaded such a program, see the Izvestia article

Who places spyware in app stores and why?

Cybercriminals are engaged in the placement of spyware in the official app stores of the App Store and Google Play, whose main purpose is to collect confidential user data, Konstantin Gorbunov, a leading expert on network threats and web developer of the Security Code company, said in an interview with Izvestia. Such information, in particular, includes bank card data, account logins and passwords (if the application turns out to be phishing), geolocation and contact lists.

"The information collected is either used for direct theft of funds, for example, through access to banking applications, or sold on the black market, and the motivation is mainly financial," says the expert. — As in the case of fake banking applications, attackers do not need a long-term presence in the store, they need a quick profit from deceived users.

Photo: IZVESTIA/Yulia Mayorova

In addition to cybercriminals, social stalkers, hacktivists and marketing scammers can also host spyware, adds Sergey Polunin, head of the Gazinformservice IT Infrastructure Solutions protection group. Not all of them need user money, but some are more interested in telemetry and behavioral analytics, which can then be sold to interested parties.

What functionality distinguishes spyware?

The key difference between spyware is the request for excessive permissions that do not correspond to the stated functionality, says Konstantin Gorbunov. For example, a simple "flashlight" or "calculator" asks for access to contacts, SMS, microphone, or call history. The second sign is aggressive advertising and intrusive offers to update "system components".

— The main danger of such software is the leakage of personal data, leading to financial losses, blackmail or theft of personal accounts, — says the interlocutor of Izvestia. — At the same time, its main difference from "classic" viruses is the credibility: it is de facto higher, since the program is hosted on the official store.

Photo: IZVESTIA/Yulia Mayorova

It is important to understand that in modern mobile operating systems (OS), applications do not engage in hacking: the user issues all the necessary permissions himself, notes Sergey Polunin. And if the user himself has given unjustifiably broad access rights to a questionable application, you should not be surprised if his personal photos and correspondence end up online later. In turn, Semyon Rogachev, head of the incident response department at Bastion, adds that by placing spyware in the official app stores, attackers mostly disguise it under three categories:

• system applications (QR code scanners, optimizers, and so on);
• financial applications (disguised as bank applications, as well as applications for cryptocurrency transactions);
• entertainment applications (various games, clones of social networks, and so on).

Photo: IZVESTIA/Yulia Grigorieva

When placed in official stores, attackers often follow download trends, the expert notes. If a particular application or class of applications is gaining popularity, spyware masquerading as it is likely to appear, such as fake clients of neural networks.

— The chance of encountering spyware in the official stores - the App Store or Google Play — is significantly lower than in third—party sources, — says Konstantin Gorbunov. — However, as practice shows, even there moderation is not perfect due to the huge flow of new applications and updates. Verification is often limited to formal compliance with policies, and a detailed analysis of the application's behavior takes place after the fact, based on user complaints.

Other people's rules: how scammers speculate on the topic of changes in legislation

Malefactors invent new norms and use them to deceive Russians.

How to recognize a spy program in the app store

To recognize a spyware program, first of all it is worth analyzing the permissions that it requests. Access to the device's functions must strictly correspond to the declared functionality of the program. If a simple "flashlight" application wants to access a calendar or microphone, this is an alarming signal, says Konstantin Gorbunov.

— The next important step is to check the developer: it is worth studying the name of the publisher and his other applications, — says the interlocutor of Izvestia. — Malicious software is characterized by new accounts, a single application in the portfolio, or many simple programs of the same type.

Photo: IZVESTIA/Sergey Lantyukhov

In addition, it is worth paying attention to text reviews, especially negative ones, where specific problems are described — high ratings without detailed comments often turn out to be inflated, Konstantin Gorbunov notes. The most reliable method is considered to be downloading mission-critical applications (banking, messengers) only through links from official websites of organizations, and not through store searches, which is especially important in the current environment.

"When you try to install malware, your phone will "swear" many times and ask you not to install the application," adds Nikita Leokumovich, head of the Department of Digital Forensics and Cyber Intelligence at Angara MTDR. — The antivirus will continue to "swear", but unfortunately, few people stop it.

Photo: IZVESTIA/Yulia Khramtsova

If you have downloaded a questionable application, pay attention to its behavior, advises Sergey Polunin. If it consumes traffic, drains the battery and is constantly running in the background for no apparent reason, this is a reason to think about the safety of its use. At the same time, according to Dmitry Kalinin, a cybersecurity expert at Kaspersky Lab, if the malware authors managed to bypass moderation in the official app store, it will be extremely difficult for an ordinary user to recognize such a program, so it's worth using a protective solution on a smartphone.

Invitation with hacking: scammers began to advertise in the "working version of WhatsApp"

How many people have already been injured, and how not to fall for such deception

How to properly remove a spyware program from your phone

If a suspicious application ends up on your gadget, experts interviewed by Izvestia advise following a series of sequential steps to clean the device. First of all, the application must be deleted immediately. At the same time, if standard removal is not possible, this indicates a serious threat, says Konstantin Gorbunov.

— When entering confidential data, such as passwords or bank details, it is urgently necessary to change passwords to all linked accounts, starting with mail and banking services, and, if necessary, block cards, — the expert advises.

Photo: IZVESTIA/Eduard Kornienko

In addition, it is recommended to enable two-factor authentication and check the device's security settings, including the permissions of other applications. As a last resort, you can reset the device to factory settings, saving important information beforehand. To protect other users, you should file a complaint with the app store demanding that the malware be removed.

In general, when installing a spyware program, the recommendations depend on what data it was aimed at, which in 99% of cases an ordinary user simply will not be able to find out, notes Dmitry Kalinin. An antivirus can come to the aid of users of Android devices, but there is no such option in iOS devices, and all removal must be done manually, the expert concludes.