Rogue mobile apps are counterfeit apps designed to mimic trusted brands or apps with non-advertised malicious features. In both cases, the goal is that unaware users install the app in order to steal sensitive information such as credit card data or login credentials.
The common way to install apps is to use the official app store. By default, neither Android nor Apple’s iPhone allow users to install apps from unknown sources. However, this does not mean we can just trust the official app store. SWITCH-CERT has been monitoring Apple’s App Store and Google Play for some time and noticed that many rogue apps are able to sneak into Google Play especially.
Google Play
Attackers are abusing the weak app testing procedure of Google to sneak their rogue apps into Google Play. One can find counterfeit apps of Swiss brands on a regular basis. Typically, the apps reside on Google Play for some time until it is removed because of take down requests from security researchers. Until that happens, unaware users are likely to install such apps and put their data at risk.
The screenshot below shows apps found when searching for Bluewin. During the last months, Bluewin has been a common target for rogue counterfeit apps. The red circle indicates the rogue app.
Play Store result for the search key word “Bluewin”
It is not always as easy as in the above screenshot to spot the rogue app. However, checking the reviews, looking at the developer address and potentially other apps from the same developer provides a good first indication.
Rogue Bluewin App
The rogue Bluewin app tries to steal the user’s email credentials. It is classical phishing but instead of a fake email it starts with a fake app. Below screenshots show the app icon and the welcome screen of the rogue app.
Entered credentials are sent to an external URL where the attacker has access to this data.
Rogue App Monitoring
As an end user it is important to always check the legitimacy of an app before installing it. Rogue apps are common even for Swiss brands (See also rogue Postfinance app article on inside-it.ch).
For larger companies, we strongly recommend that you monitor official app stores for your brand. Whether you outsource this or do it yourself, the following tasks should be part of the rogue app monitoring service:
- Monitor your brand in app stores
- Ability to analyze apps
- What is it doing?
- Where is it communicating to?
- Take down rogue apps from app stores
- Take down app communication end points
IOCs
Recent Bluewin fake apps
31708e597d1cd7f72df63f45c47bc3e3 com.brealmary.bluech 2f8e945c52977f5a33f0afdba01721f7 com.brealmary.devhouba 2ca5a4496c93633ee00e404f364960c8 ch.bluewemail
Article Link: https://securityblog.switch.ch/2019/01/30/rogue-mobile-app/