Developers should watch out for App frauds



With the enormous uptake of mobile apps a new channel for online fraud has emerged. Unauthorised Mobile Apps impersonating a brand entice users to download and install them on their mobile devices.

According to a new report from fraud-detection firm Forensiq, as much as $1 billion of that advertising money is being lost to fraud in a number of ways—including malicious apps that hijack mobile phones and turn them into an ad-viewing botnet.

It makes up one of a growing list of fraudulent practices that are infecting the app market but are seldom discussed. For example, in the case of Android, the open source code has been exploited to “steal” downloads. By copying an Android app’s open code and creating an APK file out of it, you can essentially “own” the whole code within the app including, crucially, the tracking code. This APK code can then be linked to a website to create a self-standing “app store”, with real apps, detached from the real Google Play store. Fraudsters have recently taken this practice to the next level, now not only do they make money from downloads and in-app purchases, but also from hijacking the genuine marketing campaign for the app from an affiliate programme.

Forensiq said its research showed that more than 13% of total mobile app inventory was at risk, and 14% of all mobile apps on iOS, Android and Windows Mobile platforms. It observed more than 12 million unique devices with installed apps that exhibited fraudulent behaviour: about 1% of all devices it observed in the U.S. and between 2% and 3% of those in Europe & Asia. In addition to malicious apps, the company says it also saw some apps that don’t even display ads showing up in its scan of ad behaviour—including BlackBerry’s BBM messenger which suggests that other apps are spoofing their unique identifiers.

As people fight back, fraudsters become more sophisticated. To break this cycle, developers and companies need to discuss the fraudulent practices they have experienced openly and share their insights. Common knowledge and experience will help the developer community to counter fraudsters and predict practices that could emerge in the future.