Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
February 9, 2017, Mike Browning
This Valentine’s Day, think twice—you may be downloading a malicious dating app.
Nothing gives singles a painful reminder of their loneliness quite like Valentine’s Day. The approach of February 14th causes a recurring seasonal spike in the availability and downloads of legitimate, illegitimate, and malicious mobile apps related to romance and dating. According to marketing data intelligence firm AppAnnie, dating apps currently comprise 14 of the top-25 grossing lifestyle apps and two of the top-25 grossing overall apps.
Unfortunately, this predictably frenetic February dating app activity plays right into the hands of cyber threat groups and individuals looking to take advantage of heartache-induced lapses of judgment. These threat actors will leverage popular keywords and branding of well-known dating apps to trick people into downloading their fake and malicious apps, which can steal sensitive information, redirect traffic to malicious pages, and infect devices with malware.
To combat this problem, RiskIQ applies its crawling platform to monitor 120+ mobile application stores and the nearly 2 billion resources we scan daily to look for mobile apps in the wild. With this proactive store-first scanning mentality, we observe and categorize the threat landscape as a user visiting app stores and downloading applications would. Every app we encounter is downloaded, detonated, analyzed, and stored to build a repository of over 14,000,000 mobile apps.
For our 2017 Valentine’s Day dating app research, we queried this data repository to find apps utilizing the names of seven of the most popular dating apps in the United States:
We found hundreds of mentions of these seven brands in apps and app stores around the world. While not all of the apps listed in Fig-1 are harmful to users, the vast majority of them have nothing to do with the brands they’re leveraging. Because these brands have no control over the content of the apps using their names, this (often fraudulent) activity can result in false brand association and the degradation of trust with consumers.
Totals of Active and Inactive Apps Found by RiskIQ (Fig-1)
Although not all the apps we found are directly harmful to end-users, many are extremely dangerous and have been blacklisted by RiskIQ as a result. These malicious dating apps were built to be used for phishing, distributing malware, or redirecting users to malicious pages:
Amount of Active and Inactive Malicious Apps Blacklisted by RiskIQ (Fig-2)
The global app ecosystem is a wild and unruly place, and not all bad apps have been blacklisted. One tell-tale sign of a malicious app is if it asks for excessive permissions or permissions that aren’t consistent with the promised function of the app. In 2017, RiskIQ found that the top-20 permissions used by both legitimate and blacklisted applications remained roughly the same as years past. This consistency shows that malicious apps are using the same behaviors as legitimate ones, only for nefarious ends.
Many of the apps in fig-1 asked for permissions that are unusual for a dating app, such as access to premium SMS and recording audio and video:
Permissions for Each App (Fig-3)
This Valentine’s Day, we know threat actors are taking aim at victims looking to download romance and dating-related apps. By following these steps, you can save yourself from a broken heart:
Users should make sure the things an app is requesting the capability to do matches up with what they expect it to do—malicious apps are much more likely to ask for vast swathes of extra permissions, well beyond what their core function would suggest they need. These might include the subtly suspicious permissions in Fig-3 above, or some that are completely out of the ordinary, such as being able to wipe a phone back to factory settings.
Just because an app appears to have a good reputation doesn’t make it so. Rave reviews can be forged, and a high amount of downloads can simply indicate a threat actor was successful in fooling a lot of victims. Before downloading an app, be sure to take a look at the developer—if it’s not a brand you recognize or has a strange appearance or spelling, think twice. You can even do a Google search on the developer for more clues about its reputation.
Fig-4 This app blacklisted by RiskIQ has over 18,837 downloads
RiskIQ research found that Q4 2016 brought with it a host of new malicious applications, as well as the stores to serve them, a trend we expect will continue in 2017. Cyber threat actors are starting to move away from legitimate stores such as the Apple App Store and Google Play, focusing more on feral applications and secondary hosting providers.
For example, one of the newly added stores, AllFreeAPK, shot immediately into our list of top 10 all-time providers of blacklisted applications within the first few months of being tracked.
Fig-5 Examples of malicious “Tinder” apps in the AllFreeAPK store
This Valentine’s Day, make sure to take a deeper look at each app. New developers, or those that take advantage free email services (@gmail) for their developer contact, can be huge red flags—threat actors often use them to produce mass amounts of malicious apps in a short period. Also, bad grammar in the description highlights the haste of development and the lack of marketing professionalism that are hallmarks of mobile malware campaigns.
Fig-6 This dating app leveraging a URL linking to OkCupid in the description does not quite sound like it was created by a professional…
RiskIQ differs from other monitoring systems that rely on end users employing their virus scanning tools and manual sample submissions. RiskIQ Mobile Threats provides discovery across all major app stores as well as more than 150 less common stores, including focused coverage of high-risk stores and regions for brand impersonation, malware, and fraud. In addition to unparalleled coverage of third-party app stores worldwide, RiskIQ incorporates a unique source of “feral app” binaries, or mobile apps collected outside of dedicated mobile app stores, via drive-by download for example. With this comprehensive mobile presence knowledge organizations have the unparalleled ability to:
To analyze the methods threat actors will employ this Valentine’s Day and where they’re targeting their malicious efforts, RiskIQ ran a keyword query of the mobile app database* looking for instances of the brand names of seven leading dating apps in the United States.
The findings confirmed that threat actors are using these well-known dating apps specifically to exploit their popularity.
*The source of RiskIQ’s Blacklists is our collection of internet data, which our collection architecture of virtual users gathers by scanning, crawling, and passive-sensing the internet—including web pages, mobile apps and stores, and a variety of social websites and apps. RiskIQ’s crawling technology covers more than 300 million mobile devices, 1.8 billion HTTP sessions, 783 global locations across more than 100 countries, 16 million mobile apps, and 300 million domain records.