What is the difference between a real and fake app? Well, one is legitimate and one is malicious. You would think that this topic would be general knowledge at this point in our history of using IoT devices, but fake/malicious apps are on the rise – only because users are easy succumbing to social engineering.
Google and other app store owners are constantly removing fake apps from their perspective marketplaces to protect users, but this process is not immediate.
The easiest way into an organization is still the phishing email because the general security awareness of employees is still extremely low. In some of these emails, links to app downloads are becoming more prevalent – these downloads are prompted on the mobile device and open the app store. The general user would be inclined to download such an app as it would appear to be legitimate (as the app store was launched) and the image of the application would be a mirror copy of the legitimate version. These malicious app download requests may also come from SMS text messages and/or malicious ads installed by unsafe usage of the browser.
Please pay careful attention to what you are installing – if you are downloading an app (from the Play Store), ensure that the official source is Google. If you have an iPhone, you should be performing this similar action – ensure the official source of the app is Apple.
An easy tip to remember is to think before acting. This isn’t a new concept – you wouldn’t just cross a road without looking for cars/danger, you look then cross. The concept applies to the IoT, just because something looks legitimate, it doesn’t mean it is. Pay attention to what you are doing and spend a minute or two investigating an app before you download it. If you build a strong sense of security awareness when using personal devices, this mindset will be transferable to the workplace. Protect your devices by remaining situationally aware and informed.
Use anti-virus software and/or endpoint protection on your mobile device, simple steps in the right direction will be the difference between remaining safe or losing sensitive information.
We must be vigilant, we must be ready, and most of all, we must be educated!
Adam Zimmerman, Security Solutions Architect
With over six years of experience in the technology industry, Adam’s experience covers information security operations, cyber security advisory, penetration testing, and advanced exploitation. Adam’s primary focus is helping organizations build strong security practices and prepare for potential attacks.
Adam holds a Masters in IT Security from the University of Ontario Institute of Technology, where he successfully developed a malware classification tool with a security firm based in Ottawa. Additionally, he has worked on several cyber consulting engagements as a lead security researcher and was able to develop an exploit for the FAA’s NextGen Air Traffic Control Management System.
Adam currently serves in the Canadian Armed Forces as a Second Lieutenant where he holds a command position as a Troop Commander for 32 Combat Engineer Regiment of Toronto; specializing in mobility denial and facilitation, tactical breaching, controlled munitions disposal, and various humanitarian support operations.