Threat actors’ primary objective is to drive as many downloads of their fake and compromised malicious mobile apps as possible. A tactic that’s proven to be extremely reliable in this regard is social engineering; leveraging holidays, current events, and important dates in threat campaigns to raise awareness of their apps. In August and September, the “back to school” theme begins trending, targeting kids and their families who are focusing on preparing for another school year.

A simple keyword search for ‘back to school’ inside the RiskIQ platform returns 9,343 active mobile apps, 1,182 (12.7%) of which are blacklisted. As you can see in the screenshot below, these apps come in many different languages and cover just about everything—games, informational services, device themes—even apps that help you “cheat on your exams”:

RiskIQ, which uses its crawling platform to monitor over 120 mobile app stores around the world while leveraging approximately 2 billion daily scanned resources to look for mobile apps in the wild, provides insight into how mobile threat actors are getting their “back to school” malicious apps to consumers. We found that the Google Play Store, which has a relatively good reputation but led app stores in total blacklisted applications in Q2, hosts 333 of the blacklisted “back to school” apps.

Here’s what to look for when trying to avoid these malicious apps.

Permissions for Malicious Mobile Apps can be Sketchy

Mobile threat actors use much of the same permissions to exploit users that benign applications use, so consumers should use permissions as clues to help them determine an app’s level of danger– by matching the permissions that they require with what the app purports to do. If an app’s permissions are not congruous with the functions it claims to provide, you should be suspicious. For example, does an app really need access to your phone calls, SMS messages, or billing to serve its purpose?

The mobile game below called “Salon: Back to School,” appears to be a typical mobile game, but it requests 16 different permissions, including access to billing. A quick check in the RiskIQ platform shows that it’s been blacklisted by five different antivirus vendors for android.InMobi adware:

Beware of Developers Using Free Email Services

RiskIQ’s Threat Research Team sees a rise in free email services such as Hotmail, Gmail, and Yahoo! being used as the contact address for the developer of blacklisted applications. Consumers are advised to be aware of who they expect the app to come from, and verify that the contact of the app they’re downloading is legitimate. For instance, the contact for an app purporting to be from a well-known brand will not be “john.smith@yahoo.com.”

The app below called “Dress Up School Fashion” is blacklisted by ten different antivirus vendors for serving malware, adware, and Trojans. Its contact email is namdeewanchai@gmail.com:

Although many blacklisted apps have no contact email listed, consumers can still look at the developer to see if it’s a brand they recognize. If it’s not, or has a strange appearance or spelling, think twice before downloading. You can even do a Google search on the developer for more clues about its reputation.

Don’t Take Their Word for It

Just because an app appears to have a good reputation doesn’t make it so. Rave reviews can be forged, and a high amount of downloads can simply indicate a threat actor was successful in fooling victims. For instance, despite being blacklisted, each of the apps listed above has tens of thousands of downloads.

Below is an app from the Google Play Store with thousands of downloads and excellent reviews. However, upon closer inspection, you can see that there’s something strange: the description is barely coherent. This extremely poor grammar highlights the haste of development and the lack of marketing professionalism and acumen that are hallmarks of mobile malware campaigns:

Protect Yourself

While Google has acknowledged the issues with Android and has committed to fixing them, users are still exposed to risks—particularly those with older phones, with rooted phones, or who download applications from unofficial stores. The fact that thousands of these apps are live in popular stores like Google Play goes to show that consumers are largely left to their own discretion when determining if an app is safe.

Consumers are not the only ones threatened by malicious mobile apps during the back to school season. Brands are also targeted by threat actors who use their logos and branded terms fraudulently to fool people into downloading their apps. Therefore, brands should have a solution that can mitigate the impact and damage. With a proactive, store-first scanning mentality, RiskIQ External Threats’ mobile app monitoring observes and categorizes the threat landscape as a user would see it while visiting or attempting to download apps. Every app we encounter is downloaded, detonated, analyzed, and stored giving our customers crucial insight into how their brand appears in the mobile app ecosystem. RiskIQ also records changes and new versions of apps as they evolve.

Contact us for more about how RiskIQ can help defend your mobile attack surface.