McAfee 2023 Consumer Mobile Threat Report

Smartphones put the proverbial world in the palm of your hand—you pay with it, play with it, keep in touch with it, and even run parts of your home with it. No wonder hackers and scammers have made smartphones a target. A prime one. 

Each year, our Consumer Mobile Threat Report uncovers trends in mobile threats, which detail tricks that hackers and scammers have turned to, along with ways you can protect yourself from them. For 2023, the big trend is apps. Malicious apps, more specifically.  

Malicious and fake apps 

Malicious apps often masquerade as games, office utilities, and communication tools. Yet now with the advent of a ChatGPT AI chatbot and the DALL-E 2 AI image generator, yet more AI-related malicious apps have cropped up to cash in on the buzz. 

And money is what it’s all about. Hackers and scammers generally want your money, or they want your data and personal info that they can turn into money. Creating fraudulent ads, stealing user credentials, or skimming personal information are some of the most common swindles that these apps try. Much of this can happen in the background, often without victims knowing it. 

How do these apps end up on people’s phones? Sometimes they’re downloaded from third-party app stores, which may not have a rigorous review process in place to spot malicious apps—or the third-party store may be a front for distributing malware-laden apps. 

They also find their way into legitimate app stores, like Apple’s App Store and Google Play. While these stores indeed have review processes in place to weed out malicious apps, hackers and scammers have found workarounds. Sometimes they upload an app that’s initially clean and then push the malware to users as part of an update. Other times, they embed the malicious code so that it only triggers once it’s run in certain countries. They will also encrypt bad code in the app that they submit, which can make it difficult for stores to sniff out.  

In all, our report cites several primary ways how hackers and scammers are turning to apps today: 

• Sliding into your DMs: 6.2% of threats that McAfee identified on Google during 2022 were in the communication category, mainly malware masqueraded as SMS and messaging apps. But even legitimate communication apps can create an opportunity for scammers. They will use fraudulent messages to trick consumers into clicking on a malicious link, trying to get them to share login credentials, account numbers, or personal information. While these messages sometimes contain spelling or grammar errors or use odd phrasing, the emergence of AI tools like ChatGPT can help scammers clean up their spelling and grammar mistakes, making it tougher to spot scam messages by mistakes in the content. The severity of these Communication threats is also evident in the volume of adults (66%) who have been messaged by a stranger on social media, with 55% asked to transfer money. 
• Taking advantage of Bring Your Own Device policies: 23% of threats that McAfee identified were in the app category of tools. Work-related apps for mobile devices are great productivity boosters—categories like PDF editors, VPNs, messaging managers, document scanners, battery boosters, and memory cleaners. These types of apps are targeted for malware because people expect the app to require permissions on their phone. Scammers will set up the app to ask for permissions to storage, messaging, calendars, contacts, location, and even system settings, which scammers to retrieve all sorts of work-related information.  
• Targeting teens and tween gamers with phones: 9% of threats that McAfee identified were casual, arcade, and action games. Malicious apps often target things that children and teens like, such as gaming, making videos, and managing social media. The most common types of threats detected within the gaming category in 2022 were aggressive adware—apps that display excessive advertisements while using the app and even when you’re not using it. It’s important to make sure that kids’ phones are either restricted from downloading new apps, or that they’re informed and capable of questioning suspicious apps and identifying fraudulent ones. 

How you can avoid downloading malicious and fake apps 

For starters, stick with legitimate apps stores like Google Play and Apple’s App Store, which have measures in place to review and vet apps to help ensure that they are safe and secure. And for the malicious apps that sneak past these processes, Google and Apple are quick to remove malicious apps once discovered, making their stores that much safer. 

1) Review with a critical eye.

As with so many attacks, hackers rely on people clicking links or tapping “download” without a second thought. Before you download, take time to do some quick research. That may uncover some signs that the app is malicious. Check out the developer—have they published several other apps with many downloads and good reviews? A legit app typically has quite a few reviews, whereas malicious apps may have only a handful of (phony) five-star reviews. Lastly, look for typos and poor grammar in both the app description and screenshots. They could be a sign that a hacker slapped the app together and quickly deployed it. 

2) Go with a strong recommendation.

Yet better than combing through user reviews yourself is getting a recommendation from a trusted source, like a well-known publication or from app store editors themselves. In this case, much of the vetting work has been done for you by an established reviewer. A quick online search like “best fitness apps” or “best apps for travelers” should turn up articles from legitimate sites that can suggest good options and describe them in detail before you download. 

3) Keep an eye on app permissions.

Another way hackers weasel their way into your device is by getting permissions to access things like your location, contacts, and photos—and they’ll use sketchy apps to do it. So, check and see what permissions the app is requesting. If it’s asking for way more than you bargained for, like a simple game wanting access to your camera or microphone, it may be a scam. Delete the app and find a legitimate one that doesn’t ask for invasive permissions like that. If you’re curious about permissions for apps that are already on your phone, iPhone users can learn how to allow or revoke app permission here, and Android can do the same here. 

4) Protect your smartphone with security software.

With all that we do on our phones, it’s important to get security software installed on them, just like we install it on our computers and laptops. Whether you go with comprehensive online protection software that secures all your devices or pick up an app in Google Play or Apple’s App Store, you’ll have malware, web, and device security that’ll help you stay safe on your phone.  

5) Update your phone’s operating system.

Together with installing security software, keeping your phone’s operating system up to date can help to keep you protected from most malware. Updates can fix vulnerabilities that hackers rely on to pull off their malware-based attacks—it’s another tried and true method of keeping yourself safe and your phone running great too. 

Protecting yourself while using apps 

Who can you trust? As for scammers who use legitimate communications apps to lure in their victims, McAfee’s Mobile Research team recommends the following: 

• Be suspicious of unsolicited emails, texts, or direct messages and think twice before you click on any links. 
• Ensure that your mobile device is protected with security solutions that includes features to monitor and block potentially malicious links, such as the web protection found in our own online protection software. 
• Remember that most of these scams work because the scammer creates a false sense of urgency or preys on a heightened emotional state. Pause before you rush to interact with any message that is threatening or urgent, especially if it is from an unknown or unlikely sender. 
• If it’s too good to be true, it probably is. Whether it’s a phony job offer, a low price on an item that’s usually expensive, a stranger promising romance, or winnings from a lottery you never entered, scammers will weave all kinds of stories to steal your money and your personal information. 

Get the full story with our Consumer Mobile Threat Report 

The complete report uncovers yet more mobile trends, such as the top mobile malware groups McAfee identified in 2022, predictions for the year ahead, ways you can keep your children safer on their phones, and ways you can keep yourself safer when you use your phone for yourself and for work.  

The full report is free, and you can download it here. 

The post McAfee 2023 Consumer Mobile Threat Report appeared first on McAfee Blog.

Cybercrime’s Most Wanted: Four Mobile Threats that Might Surprise You

It’s hard to imagine a world without cellphones. Whether it be a smartphone or a flip phone, these devices have truly shaped the late 20th century and will continue to do so for the foreseeable future. But while users have become accustomed to having almost everything they could ever want at fingertips length, cybercriminals were busy setting up shop. To trick unsuspecting users, cybercriminals have set up crafty mobile threats – some that users may not even be fully aware of. These sneaky cyberthreats include SMSishing, fake networks, malicious apps, and grayware, which have all grown in sophistication over time. This means users need to be equipped with the know-how to navigate the choppy waters that come with these smartphone-related cyberthreats. Let’s get started.

Watch out for SMSishing Hooks

If you use email, then you are probably familiar with what phishing is. And while phishing is commonly executed through email and malicious links, there is a form of phishing that specifically targets mobile devices called SMSishing. This growing threat allows cybercriminals to utilize messaging apps to send unsuspecting users a SMSishing message. These messages serve one purpose – to obtain personal information, such as logins and financial information. With that information, cybercriminals could impersonate the user to access banking records or steal their identity.

While this threat was once a rarity, its the rise in popularity is two-fold. The first aspect is that users have been educated to distrust email messages and the second is the rise in mobile phone usage throughout the world. Although this threat shows no sign of slowing down, there are ways to avoid a cybercriminal’s SMSishing hooks. Get started with these tips:

1. Always double-check the message’s source. If you receive a text from your bank or credit card company, call the organization directly to ensure the message is legit.
2. Delete potential SMSishing Do not reply to or click on any links within a suspected malicious text, as that could lead to more SMSishing attempts bombarding your phone.
3. Invest in comprehensive mobile security. Adding an extra level of security can not only help protect your device but can also notify you when a threat arises.

Public Wi-Fi Woes  

Public and free Wi-Fi is practically everywhere nowadays, with some destinations even having city-wide Wi-Fi set up. But that Wi-Fi users are connecting their mobile device to may not be the most secure, given cybercriminals can exploit weaknesses in these networks to intercept messages, login credentials, or other personal information. Beyond exploiting weaknesses, some cybercriminals take it a step further and create fake networks with generic names that trick unsuspecting users into connecting their devices. These networks are called “evil-twin” networks. For help in spotting these imposters, there are few tricks the savvy user can deploy to prevent an evil twin network from wreaking havoc on their mobile device:

1. Look for password-protected networks. As strange as it sounds, if you purposely enter the incorrect password but are still allowed access, the network is most likely a fraud.
2. Pay attention to page load times. If the network you are using is very slow, it is more likely a cybercriminal is using an unreliable mobile hotspot to connect your mobile device to the web.
3. Use a virtual private network or VPN. While you’re on-the-go and using public Wi-Fi, add an extra layer of security in the event you accidentally connect to a malicious network. VPNs can encrypt your online activity and keep it away from prying eyes. 

Malicious Apps: Fake It till They Make It

Fake apps have become a rampant problem for Android and iPhone users alike. This is mainly in part due to malicious apps hiding in plain sight on legitimate sources, such as the Google Play Store and Apple’s App Store. After users download a faulty app, cybercriminals deploy malware that operates in the background of mobile devices which makes it difficult for users to realize anything is wrong. And while users think they’ve just downloaded another run-of-the-mill app, the malware is hard at work obtaining personal data.

In order to keep sensitive information out of the hands of cybercriminals, here are a few things users can look for when they need to determine whether an app is fact or fiction:

1. Check for typos and poor grammar. Always check the app developer name, product title, and description for typos and grammatical errors. Often, malicious developers will spoof real developer IDs, even just by a single letter or number, to seem legitimate.
2. Examine the download statistics. If you’re attempting to download a popular app, but it has a surprisingly low number of downloads, that is a good indicator that an app is most likely fake.
3. Read the reviews. With malicious apps, user reviews are your friend. By reading a few, you can receive vital information that can help you determine whether the app is fake or not.

The Sly Operation of Grayware

With so many types of malware out in the world, it’s hard to keep track of them all. But there is one in particular that mobile device users need to be keenly aware of called grayware. As a coverall term for software or code that sits between normal and malicious, grayware comes in many forms, such as adware, spyware or madware. While adware and spyware can sometimes operate simultaneously on infected computers, madware — or adware on mobile devices — infiltrates smartphones by hiding within rogue apps. Once a mobile device is infected with madware from a malicious app, ads can infiltrate almost every aspect on a user’s phone. Madware isn’t just annoying; it also is a security and privacy risk, as some threats will try to obtain users’ data. To avoid the annoyance, as well as the cybersecurity risks of grayware, users can prepare their devices with these cautionary steps:

1. Be sure to update your device. Grayware looks for vulnerabilities that can be exploited, so be sure to always keep your device’s software up-to-date.
2. Beware of rogue apps. As mentioned in the previous section, fake apps are now a part of owning a smartphone. Use the tips in the above section to ensure you keep malicious apps off of your device that may contain grayware.
3. Consider a comprehensive mobile security system. By adding an extra level of security, you can help protect your devices from threats, both old and new.

The post Cybercrime’s Most Wanted: Four Mobile Threats that Might Surprise You appeared first on McAfee Blog.

Beware bogus Betas – cryptocoin scammers abuse Apple’s TestFlight system

"Install this moneymaking app" - this one is so special that it isn't available on Google Play or the App Store!