Malicious code: How apps become tools for scammers

When downloading mobile applications, they often request access to a lot of unnecessary data, such as photos, cameras, contacts, and so on. As information security experts told Izvestia, through such collection of unnecessary information, fraudsters can steal user data — applications potentially open attack scenarios to intruders. Moreover, this applies not only to deliberately malicious products, but also to ordinary ones, downloading which people may encounter fraudulent actions through their vulnerabilities. How to protect yourself from such malicious actions is in the Izvestia article.

How does the data collection mechanism work?

Mobile applications have become an integral part of the life of every smartphone user, they are used for financial management, navigation, work and entertainment. During installation, people often encounter requests for access to various functions of the device — camera, microphone, contacts, geolocation, and others. Many of these permissions may seem redundant for the functionality of the service. And here it is important for users to understand who exactly made this request: the official developer or an attacker got into the program.

Developers themselves may request access to additional smartphone functions for several reasons. This is often due to the need to improve performance, increase user convenience, or integrate third-party services, said Yuri Shabalin, Stingray Product Director at AppSec Solutions.

— For example, the permission to access calls can be used to automatically fill in registration data, check the network status, or identify the user by phone number. Access to contacts is sometimes used to facilitate inviting friends to the app, even if it is not directly intended for communication, the expert said.

Photo: IZVESTIA/Andrey Erstrem

However, the services also request other data, and hackers can already use permission for additional functions. We are talking about any applications, both deliberately fraudulent and official, that an attacker can enter and steal data through additional access to the device's functionality.

Getting personal: Why biometrics were needed in popular apps

The new level of protection creates a risk of data leakage

Yuri Shabalin noted that if, for example, a calculator or notes are asked to give access to SMS messages, then this is a reason to think seriously, because these applications do not need such information to work on the phone.

— In this case, hackers, upon successful attack, can intercept confirmation codes for logging into banking applications or personal accounts. Access to geolocation can reveal information about the user's location. There was such a precedent a few years ago with the Shazam service," he said.

Photo: IZVESTIA/Sergey Konkov

In particular, as foreign media reported, in 2018-2019, a vulnerability was discovered that could allow attackers to find out the location of a potential victim. At that time, it affected more than 100 million users.

Ashot Oganesyan, founder of DLBI, a data leak intelligence and darknet monitoring service, believes that most applications require such permissions to operate advertising systems that ensure their monetization, since they really need geolocation and a microphone to personalize ads.

"As for fraudulent applications, they more often require access to the screen, notifications and messages in order to control user actions, for example, intercept SMS authorization codes, delete real or send fake push notifications," the expert explained.

How can a user protect themselves

The collection of redundant data by applications is a common problem that every user should be aware of. Programs often request access to a camera, contacts, microphone, or geolocation without an obvious need, said Anton Nemkin, a member of the State Duma Committee on Information Policy, Information Technology, and Communications. Such requests are explained either by the desire of developers to collect data for marketing analysis and subsequent monetization, or — in the worst cases — by attempts by intruders to gain access to personal information.

— To minimize risks, it is necessary to carefully check which permissions the application requests and ask yourself whether they are really necessary for the program to work. For example, a mobile photo processing application does not need access to a microphone or contacts," the deputy said.

Photo: IZVESTIA/Alexander Kazakov

According to him, it is better to install programs only from official stores, read reviews and pay attention to the reputation of the developer. You should also check your device settings regularly and revoke unnecessary permissions from previously installed services. In addition, it is important to use antivirus software for mobile devices and update the operating system and applications themselves in a timely manner.

— Fraudsters often use vulnerabilities in outdated software versions to attack. Vigilance, a critical approach to permissions, and compliance with basic cybersecurity rules will help significantly reduce risks and protect your personal data,— Anton Nemkin added.

Anna Vyatnikina, an analyst at the research group of the Positive Technologies analytics department, recommends carefully checking which permissions the application requests and giving access only to those functions that are really necessary. In addition, it is useful to delete unnecessary applications — the fewer they are, the lower the risks, the expert concluded.