As Black Friday approaches, security companies are rushing to sound clarion alarms around the risks facing users. RiskIQ is the latest vendor to publish a report looking at the risks shoppers face. The Black Friday eCommerce Blacklist shows how many fake apps are waiting to trap the unwary. Many of those apps are focused on the top retail brands.
RiskIQ maintains its own Global Blacklist of malicious websites and mobile apps. According to RiskIQ: “The source of RiskIQ’s Blacklists is our collection of internet data, which our collection architecture of virtual users gathers by scanning, crawling, and passive sensing the internet—including web pages, mobile apps and stores, and a variety of social websites and apps. RiskIQ’s crawling technology covers more than 300 million mobile devices, 1.8 billion HTTP sessions, 783 global locations across more than 100 countries, 16 million mobile apps, and 300 million domain records.”
RiskIQ searched its data for apps focused on Black Friday. It discovered that 10% of the apps were already marked as malicious in its database. When it refined the search to focus on the top five US-based e-tailers it found:
- Brand 1: 12,971 Total, 1,093 blacklisted (8.4%)
- Brand 2: 2,911,141 Total, 410,094 blacklisted (14%)
- Brand 3: 39,443 Total, 6,367 blacklisted (16.1%)
- Brand 4: 770,380 Total, 112,254 blacklisted (14.6%)
- Brand 5: 3,121,706 total, 470, 522 blacklisted (15%)
These numbers should worry both the retail organisations and users. It means that there is a reasonable chance of users downloading apps that will cause them significant harm. The apps are not just about installing malware on local devices. Many of them are designed to steal banking and credit card information as well.
RiskIQ suggests that users focus on apps from the official Apple and Google app stores. It admits that while they have been caught hosting malicious apps they are stopping a lot more getting through. It is making four recommendations for users to help keep themselves safe online:
Ensure that you are only downloading apps from official app stores such as Google or Apple.
Be wary of applications that ask for suspicious permissions, like access to contacts, text messages, administrative features, stored passwords, or credit card info.
Just because an app appears to have a good reputation doesn’t make it so. Rave reviews can be forged, and a high amount of downloads can simply indicate a threat actor was successful in fooling a lot of victims. Before downloading an app, be sure to take a look at the developer—if it’s not a brand you recognize or has a strange appearance or spelling, think twice. You can even do a Google search on the developer for more clues about its reputation.
Make sure to take a deep look at each app. New developers, or developers that leverage free email services (e.g., @gmail) for their developer contact, can be enormous red flags—threat actors often use these services to produce mass amounts of malicious apps in a short period. Also, poor grammar in the description highlights the haste of development and the lack of marketing professionalism that are hallmarks of mobile malware campaigns.
Conclusion
Alibaba broke all records for online trading with this years Singles Days sale. This will have excited a lot of online retailers as they head into Black Friday and Cyber Monday. Shoppers will also be looking for a lot of pre-Christmas bargains. To accommodate them, some retailers are not just running a four day event but are planning a two week sale. With Christmas just over a month away it is likely that some retailers will keep their sales going right the way through to January.
All of this will entice shoppers online. With so many fake apps and malicious websites out there it may not be just the retailers that get a Christmas bonus.
