Tips and Tricks

How to identify and avoid rogue applications: advice for users and companies

Applications are the bells and whistles of every device. They enrich our lives, acting as time fillers, personal health advisers or entertaining video-communication channels. And there are plenty to choose from.

As of June 2016, Android users can choose between 2.2 million apps, while Apple’s App Store offers 2 million, according to Statista. Yet app stores don’t just let anyone in. Apps are vetted to make sure they are safe to use: no backdoors, no malware.

However, security systems are not perfect. Carelessly built apps may go rogue and infiltrate official stores, as they are repackaged to include malicious code that inserts ads so hackers make a profit. These rogue apps usually dwell on unofficial app store websites or are distributed via email links. They rarely appear on legitimate app stores or websites, such as Google Play or iTunes. There are exceptions, though, as well as several third-party markets housing malicious apps.

Read about the fake desktop app that gives attackers full access to Mac systems.

Mobile apps

There are various types of rogue apps. Some are simply a nuisance (draining battery life or tying-up CPU resources), while others are more dangerous (installing RATs for espionage or exploiting the SMS permission settings to send text messages to premium numbers). A malicious app dubbed HummingBad has taken hold of about 10 million Android phones around the world. The software takes full control of the device, collecting the owners’ personal data and clicking on ads in this process.

Avoid HummingBad and other apps, by making sure to:

  • Download apps from official app stores.
  • Refrain from downloading fake software, usually updates, sent in unrequested emails.
  • Install a mobile security solution fitted to your device OS.
  • Check what permissions the app requires on your mobile device and block unnecessary ones.
  • Read reviews on the app store before installing a new app.
  • Don’t jailbreak your device unless you know how to protect it from threats and can take full responsibility for its security. The consequence of jailbreaking is disabling the “sandboxing” feature of the iOS, an essential piece of the operating system’s security architecture. Read more about the negatives,

Facebook apps

Rogue applications are rife on Facebook. They use social engineering tricks to fool users into giving them permission to access their Facebook profile and thus, the ability to post links to pages or profiles. Their main objective is to drive traffic to revenue-generating survey scams.

Don’t accept apps without knowing what data they access and what actions they may take on your behalf.

App security in organizations


Mobility and BYOD in organizations brought real benefits to businesses, yet they’ve also widened  the attack surface. Any device, be it laptop, smartphone or fitness tracker, can become a gateway for intrusion That is why analyzing the security posture of apps is crucial to the integrity of the corporate network.

Vetting the security of a mobile application inside an organization starts with software assurance for apps. To provide it, organizations should develop security requirements that specify, for example, how data used by an app should be secured, the environment in which an app will be deployed, and the acceptable level of risk for an app. Nonetheless, the process is different in every organization, and so is the definition of risk.

Before an organization can implement a vetting process, it has to develop app security requirements, understand the limitations of the process, and dedicate time and money to testing. The audit is also performed with tools that check for software vulnerabilities, to derive vulnerability reports and risk assessments that will be used to evaluate and accept or reject an app.

Enterprises should also update their security awareness campaigns and advise employees to use approved sources and use a mobile security solution to block fake apps.

About the author

Alexandra GHEORGHE

Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her background in PR and marketing communications to translate binary code to colorful stories that have been known to wear out readers' mouse scrolls. Alexandra is also a social media enthusiast who 'likes' only what she likes and LOLs only when she laughs out loud.