SAN FRANCISCO–Back-to-school time is being taken advantage of by online scammers, which means lessons for both credit unions and their members.
According to RiskIQ, threat actors’ primary objective is to drive as many downloads of their fake and compromised malicious mobile apps as possible, and few tactics are more reliable for doing that than leveraging holidays and other events, including the time of year when students are returning to school.
“A simple keyword search for ‘back to school’ inside the RiskIQ platform returns 9,343 active mobile apps, 1,182 (12.7%) of which are blacklisted,” the company said, noting that such malicious apps come in many different languages and cover just about everything—games, informational services, device themes—even apps that help you “cheat on your exams.”
The company cautioned that it isn’t just members at risk, as criminals can highjack a credit union’s brand as part of a back-to-school scam, as well.
RiskIQ said it uses its crawling platform to monitor over 120 mobile app stores around the world while leveraging approximately two-billion daily scanned resources to look for mobile apps in the wild, which it said provides insight into how mobile threat actors are getting their “back to school” malicious apps to consumers. It noted that despite its relatively good reputation, the Google Play Store led app stores in total blacklisted applications in Q2 by hosting 333 of the blacklisted “back to school” apps.
According to RiskIQ, here’s what to look for when trying to avoid these malicious apps:
- Permissions for Malicious Mobile Apps can be Sketchy. “If an app’s permissions are not congruous with the functions it claims to provide, you should be suspicious. For example, does an app really need access to your phone calls, SMS messages, or billing to serve its purpose?”
- Beware of Developers Using Free Email Services. RiskIQ said its Threat Research Team sees a rise in free email services such as Hotmail, Gmail, and Yahoo! being used as the contact address for the developer of blacklisted applications. “Consumers are advised to be aware of who they expect the app to come from, and verify that the contact of the app they’re downloading is legitimate. For instance, the contact for an app purporting to be from a well-known brand will not be john.smith@yahoo.com.”
- Don’t Take Their Word for It. “Just because an app appears to have a good reputation doesn’t make it so. Rave reviews can be forged, and a high number of downloads can simply indicate a threat actor was successful in fooling victims.”