Autumn is here, and it's almost time to break out the candy. And for the fun of it, why not add to the festive mood with a Halloween-themed app or two for your phone?
Well, you may want to slow down a bit before decorating your device—if you're not careful, you could invite in some unwelcomed ghouls. Abuses of apps by cyber threat actors come in all shapes and sizes. To protect yourself from Halloween mobile malware, you should be on the lookout for different techniques mobile cyber threat actors will use this October.
How scary is the problem?
A simple keyword search for 'Halloween' inside the RiskIQ platform, which monitors more than 100 app stores around the world, shows more than 7,000 blacklisted mobile apps, approximately 1,400 of which are inside the Google Play store. As you can see in the screenshot below, these apps come in many different languages and cover just about everything—games, informational services, device themes, and even apps that turn you into a zombie or vampire.
But while downloading an app that splatters your device with pumpkins and monsters sounds like fun, the real horror show is the Halloween mobile malware that may come along with your download. Here are three tips to avoid harmful Halloween tricks:
1. Beware of too many permission requests
One of the easiest clues to spot that hints that an app is up to no good is if it asks for excessive permissions. The app below, named “Halloween”, calls for 128 different permissions. It’s probably a good idea to ask yourself why a Halloween arcade game needs access to texts (android.permission.SEND_SMS), calls (android.permission.PROCESS_OUTGOING_CALLS), or the ability to remotely wipe your phone (android.permission.BRICK).
2. Lots of downloads or positive reviews don’t mean an app isn’t harmful
Just because an app appears to have a good reputation doesn’t make it so. Rave reviews can be forged, and a high amount of downloads can simply indicate a cyber threat actor was successful in fooling a lot of victims. Before downloading an app, be sure to take a look at the developer—if it’s not a brand you recognize or has a strange appearance or spelling, think twice. You can even do a Google search on the developer for more clues about its reputation.
The “Halloween Weather Widget Theme,” for instance, appears to be a harmless weather app, boasting over 50,000 downloads. But RiskIQ's blacklist reveals that it's flagged by multiple vendors for delivering Android/Anydown.J, a variant of the Android.Rootnik trojan. The app is currently still up and active in the Google Play store with a strong user rating.
3. Like an app? Know what’s under its mask
To be sure you’re getting more treats than tricks this Halloween, make sure to take a deeper look at each app. New developers, or developers that leverage free email services (@gmail) for their developer contact, can be enormous red flags—cyber threat actors often use them to produce mass amounts of malicious apps in a short period. Also, bad grammar in the description highlights the haste of development and the lack of marketing professionalism that are hallmarks of mobile malware campaigns.
“Halloween Screensaver FREE” is a good example. As a Halloween theme, it may look innocent enough, but it’s flagged by six different antivirus vendors, including a Zillya detection for Downloader.OpenConnection.JS, which attempts to download and execute files from an arbitrary host.
As you can see, its developer uses a free email service, and the description is rife with typos such as “at once glance it also shows you data and time of day.”
Be safe and have fun!
Cyber threat actors in the mobile space have gotten extremely skillful at tricking victims. Even savvy app consumers can be fooled by malicious apps, and children with access to a mobile phone are particularly susceptible to Halloween mobile malware. So, when you and your family look to spruce up your phone with some Halloween fun, remember these tips to stay safe when you get spooky!