How to spot and avoid fake apps?

What do these apps have in common - WhatsApp, Waze, Uber, Telegram, Facebook and Avast?

It is said that imitation is the best form of flattery. All of these apps have fallen victim to their own success. Malicious developers have launched their own fake apps masquerading as these legit apps.

In 2017, a fake WhatsApp app was downloaded by more than a million people before being caught and taken down. A fake Facebook Messenger app was downloaded more than 10 million times!

These mischievous developers keep moving their marks. Once their fake apps are taken down by the app stores (Google Play Store, Apple’s App Store or third party Android app stores), these developers then target the next hot and trendy app.

With the millions of apps that are launched every month, it is impossible for the app stores to catch every fake app. They have made some good progress in identifying these apps early on, but they still have a long way to go.

What do these fake apps do?

Developers of these fake apps have different motives and no regard for infringing on others’ copyrights, trademarks and intellectual property rights. They develop apps to take pictures of you, steal your personal information and making money from you.

Telegram, a very popular messaging app, was recently the victim of a cybercriminal who created an app with a very similar logo and icon and named the app “Teligram” with an “I”. It was labelled as “New version updated” to fool people into thinking that it was an upgrade of an existing app. This specific version of the fake app showed full screen ads and made money off these ad views/clicks. Another fake version of Telegram app went a lot further by installing a malware into your phone. This gave a hacker a backdoor to your phone or an ad clicker to your system.

Symantec recently discovered a fake Uber app where the developer recorded your phone number and password on their remote servers. The developers could then further compromise your other accounts and sell this information on the dark web.

A copycat gaming app, Cuphead, convinced people to pay $5 per download, the same price as the legit game. The issue is that this money didn’t support the many designers and developers who created the original game and hence siphoning off real revenues!  You are putting money into the hands of these illegal app developers.

The danger from using fake apps is real and can result in a serious loss to your privacy, financial loss, identity theft and worse.

Does Apple’s AppStore have fake apps?

While Android platform may attract more fake apps and related attention, iOS users are not immune to fake apps. Both Google Play Store and Apple’s App Store continue to improve their methods to detect fake apps as fast as possible, but invariably, some apps will slip through. Here is an article from the New York Times discussing what Apple is doing to prevent fake apps appearing on its App Store.

How to spot fake apps?

Scammers count on people being too busy to read the details and notice discrepancies between legit and fake apps. We all have to stay vigilant and spend a couple of extra minutes to do our due diligence before downloading ANY app.

  • Look at the icons of the app

If you find many apps with the same or similar icon of the app that you are searching for, that is a sign that you need to spend a few extra moments to analyze and identify the legit app.  If the app is not a Pro version as compared to its sibling free app, then we need to examine the App Name and Developer’s name to identify the legit app.

Can you spot the fake Telegram app

  • Closely examine the App name and its meta data

Sometimes, you can find hints within the app name to raise suspicions.  Look for extraneous words in the name of the apps. In this example, the name of the app is “Update WhatsApp Messenger”. No one adds words like UPDATE to the name of the app and this should raise some eye brows for sure.

Looking beyond the app name, you will notice that this version of the app contains ads. A quick search on google will reveal to you that WhatsApp is ad-free – at least for the moment.

Another hint is that this app is classified as “Lifestyle” app. Messaging apps are usually found in the “Communications” category.

WhatsApp fake app data

  • Check for the App Developer name

In the above WhatsApp example, it’s hard to distinguish the fake app from the developer’s name as it is nearly indistinguishable from the real name. In this example, there is actually a white space at the end of the name which is not visible to the human eye. The extra space at the end makes it technically different from the real name. These guys were very cunning.

Most of the times, it is easier to spot fakers.  In 2017, a fake Avast app was found with the developer name of “Lose Fat Secret Fitness Pal Avast Avira AVG Clean.”  The fake SwiftKey app was developed by “Designer Superman”. Both are good examples that should raise red flags.

Another indicator is to check what other apps that the developer has developed. Simply click on the developer name on the app store listing and you will see more apps from the same developer. You may spot inconsistencies in the types of apps developed by this person. Usually companies develop apps within a certain category. For example, a company developing a keyboard will probably not be developing an Uber type app. They will probably develop other utilities.

  • Check the physical address and website of the developer

Does the developer provide a physical address of their business? At the bottom of Additional information of the app, you will find their physical address and their website. WhatsApp and other legitimate developers will provide their physical address which can easily be verified on google or from their own website.

Search for the developer’s website on google and make sure that it’s the same site when clicked on their link from the app info page. If the URLs are different or the sites look different, then be suspicious!

  • Read the app reviews

Even fake apps have reviews (fake and real reviews). In general, the more the reviews, the more likely it’s to be a legit app. But if there are only a few reviews and all are highly rated, they could be fake reviews. In the event of the fake Avast app, a few people had noted it as a fraud app in the reviews. Some people clearly overlooked these warning as there were still some people who went ahead and downloaded the fake app.

  • Read the description and look at screenshots

While this step may take a little time, it can yield many clues about the legitimacy of the apps. Genuine app developers will use clear language to describe their app and its benefits with good and professional graphics to convey their messages.

To spot potential fake apps, pay attention to poor grammar, spelling mistakes, broken English, weird phrases and bot-like writing.

Similarly, take a look at the screenshots. While sometimes developers may copy some of the screenshots from the original app, they may add their own wording or phrases that might give them away.

  • Check for a high download count

Although this only helps to possibly identify copycats of major and popular apps like Facebook or WhatsApp, it might not be a good indicator for a brand new app recently launched with small download count. But never the less, it is another key piece of information to review. Popular apps like WhatsApp which has over 1 billion downloads will make it easy to spot a fake WhatsApp with a few hundred or even a million downloads.

Is the app developer promising eccentric performance or prizes? The fake Avast app forced you to give it a 5 star rating before letting you activate it! To incentivize you further, it said that it would enter you into a draw for a chance to win iPhone X which wasn’t available at the moment. These are all red flags!

How to prevent being a victim?

Whatever app is hot today will attract a lot of attention from bad actors. This is why you have to do your own due diligence when downloading new apps.

Over and above from spotting fake apps, there are other steps we can take to ensure that we only download trusted apps from reliable stores. One easy way to protect yourself is to go your Android settings and make sure you do not allow app downloads from untrusted sites. Search for the setting called “Trusted sites” or “Unknown sources” and ensure that is set to not download from unreliable sources.

Supplement your app store search with a google search of the app as well. Visit the app developer’s web site and if looks legit, use the download links from their website to take you directly to the app page. Did you arrive at the same app page as from within the app store search? Does the app look legit?

When on the web, be sure that you are on a secure and encrypted app download page. Ensure that the URL contains HTTPS. If there is no “S”, then do not trust this page. If there is a “S” after HTTP, you will see either a lock icon or the words SECURE to indicate that this page is safe to download information from. This can minimize the chances of your web browser being hijacked by third parties and redirecting you to untrusting and insecure sites.

encrypted https page

If the app looks fake or if you tried it and determined that it is fake, Report the app as soon as possible. Scroll down to the Additional information for the App and click on “Flag as inappropriate”.

Report inappropriate appOn the mobile phone, you will be presented with a screen with different options. Select “Copycat or impersonation” as your reason and submit.

phone reporting fake appsOn the website, clicking on the Inappropriate link will take you to a Google Play help page, where you’ll need to click on the “report inappropriate developer reply form” link, and fill it out as per instructions.

Web site report fake appMore recently, Google has started to take this issue more seriously and implement “Google Play Protect” – a security system to verify apps in the Play Store. It scans apps upon submission to the Play Store by the developers. It will probably weed out a lot of the fake apps. It is a still a new system that we hope will keep getting better at stopping malicious apps from creating a mess for people. From the millions of apps added every month, even they will miss a few. In the meantime, we hope that you find these tips useful in identifying and protecting yourself from being spoofed into downloading fake apps. Just remember that if something is too good to be true, it probably is!

Do you have any tips to add or any of your experiences that you can share to help others?