Stay Safe This Tax Season: Fake Tax Apps Pushing Malware on the Rise

By Krishna Vishnubhotla [ Join Cybersecurity Insiders ]
2424

[By: Krishna Vishnubhotla, Vice President Product Strategy, Zimperium]

Tax Day is just around the corner and it is vital for individuals and businesses to be hypervigilant of the tax apps we choose as there has been a significant rise in fake tax apps pushing malware. To keep your personal and financial information safe, these apps should be avoided at all costs.

Designed to harvest users’ data and make identity theft and payment redirection successful, bad actors are increasing their use of fake apps masquerading as legitimate ones. Typically, fake apps are mostly found on third-party app stores, but they can make their way onto first party app stores like the App Store on iOS and the Google Play Store on Android. Many ask, what are some additional security measures to take to minimize risk of downloading a fake tax app and the answer is, it all starts right at the beginning. Sticking to reputed brands is crucial, even if they cost a little more – it is worth the expense. Most fake apps draw users via social engineering with free, super-low costs and other promotions. Don’t fall for it. If this is a new service you are trying because friends or family recommended it, it is advisable to do your own research and, more importantly, be conscious of any and all red flags. This piece will dive into the various ways bad actors are leveraging fake apps to exploit innocent victims.

A common question we have been frequently asked is can fake apps use official tax filing APIs?

The answer unfortunately is yes, they can if the APIs are not appropriately secured. Most APIs validate the requester’s identity and the message’s basic structure. But on a mobile, you can spoof both. Reversing the app allows attackers to identify all the APIs used in the app and then build fake apps that can mimic a legitimate request. 

 

So, how do bad actors design fake tax apps to steal or redirect tax payments intended for legitimate authorities? Fake apps look real because real apps are very easy to reverse-engineer. Users download apps from the official stores and reverse them with readily available tools. It is not reasonable to expect the app stores to identify a malicious actor and stop the download. Zimperium research shows that most apps today lack sufficient protection from reverse engineering and tampering.

 

Here is what Zimperium’s research of the popular tax apps shows:

  • 30% of iOS apps were identified as having a high-security risk 

  • 15% of iOS apps were identified as having a medium privacy risk

  • 80% of Android apps were identified as having a high-security risk

  • 26% of Android apps were identified as having a high privacy risk

 

In addition, here are five common mistakes we see tax apps making:

  1.  The app lets web scripts access its internal functions, which can be misused.

  2. The app can run powerful commands that, if misused, especially on rooted devices, could give attackers control over the device.

  3. The app allows running web scripts that could be harmful if tampered with.

  4. The app uses hidden permissions, allowing malicious apps to exploit its features.

  5. The app can download new code from the internet, risking unwanted changes or malicious updates.

 Since teams are more motivated to release  apps quickly rather than ensuring apps are secured first, they tend to do the bare minimum regarding security.  As such, with the rise of malware, it is essential for CISOs, business leaders and security professionals to keep educating the community on the plethora of potential threats that exist and arise front of mind.  

As with anything, staying vigilant and keeping a close eye on any unusual behavior after installing an app, will protect you and your precious data. For example, the app sending unwanted / suspicious messages or an app that is randomly causing a device malfunction. By paying attention to any unusual activity, you could save yourself from falling victim to bad actors looking for their pay day this tax season.

Ad

No posts to display