This guest blog was contributed by Krishna Vishnubhotla, Vice President Product Strategy, Zimperium
With Tax season among us, it is important to be hypervigilant of the tax apps we are using to ensure fake tax apps pushing malware are avoided at all costs.
Fake apps masquerade as legitimate apps and are designed to harvest user data and facilitate identity theft and payment redirection. Fake apps are mostly published on third-party app stores, outside of those natively available from the device manufacturer (e.g., the Google Play Store on Android or the App Store on iOS), but sometimes can make their way onto first party app stores which is very worrisome. It’s no secret that bad actors will be using their shady tactics to exploit individuals when doing their taxes this tax season.
With the rise of malware, it’s vital for CISOs, and security professionals to continue to educate the community on the plethora of potential threats that exist and arise. For example, users may have their guard up when it comes to suspicious hyperlinks, emails, and unsecured wifi, but many let their guard down when it comes to malware in the form of applications.
Many ask how attackers might reverse engineer a legitimate tax app and the answer is simple - an attacker only needs to install these apps on their laptop. They would then download the app of interest onto their specially equipped mobile devices to obtain the app binary and upload it to the tool. The software converts the binary back into human-readable source code for analysis. During the analysis, attackers may extract sensitive data embedded in the app, such as API keys, credentials, or URLs to backend services, which can be used to gain unauthorized access or to impersonate the app in phishing attacks. After understanding the app's structure and possibly modifying it to include malicious code, attackers repackage the app in a fake app. The fake app looks and functions similarly to the original but contains malicious functionalities aimed at stealing personal or financial information. To paint a clear picture, for 150 dollars and 10 minutes, bad actors can get their hands on the source code that costs an enterprise nine months and a million dollars to develop.
Fake apps often appear very similar to legitimate ones. Another question often asked is what are the key red flags users should look for to identify a fake tax app, even if it seems to function properly?
Fake apps look real because real apps are very easy to reverse-engineer as mentioned above. However, most of today’s apps lack sufficient protection from reverse engineering. App review and download counts can be manipulated just like the app itself. Some key actions that would be very helpful for users to bear in mind and be vigilant about to stay as safe as possible are:
Be sure to download the app from an official source, such as the Google Play Store or Apple App Store. This reduces the likelihood of an app being fraudulent.
When an app requests payment through unconventional methods such as gift cards, wire transfers, or cryptocurrencies, be cautious.
Pay attention to the permissions that the app requests during installation. For example, a tax app shouldn't share contacts or locations. Excessive permissions are a huge red flag. Just take a moment and consider whether the permission makes sense.
In addition to the above, it is vital to stay vigilant and observe any unusual behavior after installation, for example, the app sending unwanted messages or causing a device malfunction. But by paying attention to any unusual activity, you could save yourself and your data from falling into the hands of the bad actors looking to exploit.