Mobile Security

Impostor apps: How to spot a fake app before it's too late

Michal Škvor, 2 November 2017

It’s happened to Avast, WhatsApp, Waze, and Facebook, so yes, it’s worth looking twice before you download.

In today’s digital world, imitation is almost never the “sincerest form of flattery.” More often than not—and especially for apps we purchase for our digital devices—a “copycat” can turn out to be a rip-off.

Here’s the reality in which we live: even within a reputable app store (let’s say the Google Play Store, for example), you may not always end up with the purchase you bargained for. And worse, it may cost more than you imagined. In this post, we’ll show you how to spot a fake app before it’s too late. And there’s no better way to do so than by example...

We don’t make this stuff up

Turns out even a brand name dedicated to next-gen security, protecting online privacy and fighting cybercrime around the world can find itself in the middle of a fake app scandal. That’s right—the Avast Android app was knocked off and published on the Google Play Store. While it was quickly taken down thanks to a hawk-eyed analyst who reported it, those who downloaded the criminal fake-app soon found themselves awash in a flood of ads, which seemed to be the only real purpose of the phony app.

The perpetrator was a developer named DevTech Inc., an entity that has posted a host of fraudulent apps, including one posing as a Waze plug-in. While these have all since been removed from the Google Play Store, they stayed up for longer than you might think, and they did successfully hoodwink unsuspecting users into downloading them.

What’s up with WhatsApp (and more)?

Cybercriminals and scammers count on their victims being too busy to notice anything’s amiss. Look at the WhatsApp options above. At first glance, the logos look similar and the developer’s name for each seems to be WhatsApp. But look closer and you’ll see the key differences that make the fakes stand out.

forbis-01.jpg

Avast, Waze, Facebook, WhatsApp—no one is safe. If it’s a popular app, odds are there is a fake out there impersonating it. The above apps all look legit, until you notice the developer’s name on the Messenger one.

So, going back to our own impersonator, were there any warning signs that could have flagged that phony Avast app as fake? Yes, and excellent question. In fact, any time you are considering downloading an app, always ask yourself these questions:

  • What’s the name of the developer? The name usually tells you everything. Why would Avast have an app developed by someone who is not Avast? It wouldn’t. Last year another phony Avast app was discovered, and the developer’s name in that case was “Lose Fat Secret Fitness Pal Avast Avira AVG Clean.”
  • Do the reviews and ratings seem suspect? Always review the reviews. 5-star reviews AND 1-star reviews. In general, the more reviews, the more legit the situation. If there are hundreds of reviews, you’ll know that the app has stood the test of time. If there are only a few, and they’re glowing, then they could very likely be phony reviews written by the criminal developer. In the case of the fake Avast app, ten people noted its fraudulence in the review section. Those reviews may have been overlooked, though, as between 50-100 users downloaded the app anyway.
  • Do the performance and promises seem over-the-top? If they are outlandish, be wary. The fake Avast app first insisted you had to give it a rating of five stars in order to activate it, which is a red flag in itself. But then it went on to promise that it would enter you for a chance to win an iPhone X, a device that Apple wasn’t even selling at the time!

Stay vigilant

The harmful effects from these imitation apps can vary from a nonstop deluge of ads to stealing money and personal info, but they all have one thing in common: they are all entirely illegal. Publishing fake apps is called “scamming” and it is punishable by law.

When you download these fake apps, you are in many cases putting money in the cybercriminals’ pockets. Every click can be monetized, and the more money they make, the more resources they can use to create more fake apps, and the cycle continues. Instead we simply recommend: keep away from fake apps.