Best Practices

A New Reminder to Watch Which Apps You Download

As a general rule of thumb, it’s important to exercise caution when downloading apps onto your devices. Whether you’re using a PC for work, or a personal smartphone, malicious apps from your device’s marketplace can steal data and infect your system. This is great advice especially when looking at apps and software on various websites across the internet. These sites
January 1, 2024
 / 
meritsolutions
 / 
Leave a Comment
 / 
Image

As a general rule of thumb, it’s important to exercise caution when downloading apps onto your devices. Whether you’re using a PC for work, or a personal smartphone, malicious apps from your device’s marketplace can steal data and infect your system.

This is great advice especially when looking at apps and software on various websites across the internet. These sites will happily let you download their programs, but as there is very little regulation or control in this process, you run the risk of installing something nefarious on your device. That’s why companies like Apple and Google always recommend you download your apps through their official app stores, since they have their own process for vetting developers.

But this system isn’t foolproof: While downloading apps from the Google Play Store is generally more secure than downloading programs from random websites, there is still a risk those Play Store apps aren’t what they advertise themselves to be. Unfortunately, it’s become all too common to see stores in the news about apps purporting to offer a legitimate service, only to find these programs siphoning your data to some remote server, or using your device’s resources to mine bitcoin.

Malware like Chameleon hides within “legitimate” apps

The latest example of this type of activity comes to us from the banking malware Chameleon. This malware started in Australia and Poland, but was recently seen targeting users in Italy and the U.K., indicating the malware may be spreading throughout Europe.

When downloaded, Chameleon tricks users into giving the malware Accessibility permissions. Usually, Android 13 and Android 14 users don’t have to worry about this type of attack, since the new “Restricted setting” blocks malware from performing malicious activities on your device’s screen. But if you follow Chameleon’s on-screen prompts to allow it permission, it has the ability to perform these actions.

Chameleon uses its permissions to Android’s accessibility service to steal your data, as well as engage in overlay attacks—a form of attack in which a malicious program displays its contents on top of another apps, perhaps legitimate.

Malware like Chameleon hides in “legitimate” apps. When you download and install these apps on your device, like an Android smartphone, the malware can get to work in the background, wrecking havoc on your personal privacy and the sensitive data of your business. In Chameleon’s case, the malware ties itself to fake versions of the Google Chrome app. Of course, if you download Chrome from Google’s official site, or from Google’s official page on the Play Store, you have nothing to worry about.

However, the issue comes with malicious apps pretending to be Chrome. You might encounter these on the Play Store, with apps cleverly masquerading as Google’s official browser, but Google is likely more sensitive to fake versions of its apps on its own marketplace. More likely, these malicious versions of Chrome are coming from third-party sites: You might google “Google Chrome,” click a link that looks legitimate, then end up downloading an illegitimate version of the app with Chameleon attached.

How to protect your business data from malicious apps

The best way to avoid malware like Chameleon is to keep away from the app it’s attached to. While that’s easier said than done, there are some tips to keep your protected.

First, always make sure you’re downloading an app from its official source. When looking for Google Chrome, for example, ensure you go to Google’s site, not a third-party link. Instead of clicking the ads that appear in a Google search, which can lead to malicious sites, look for Google’s URL and choose that. If on a mobile platform like Android, opt for the Play Store for your apps, rather than a third-party site or marketplace.

When on the Play Store, however, vet each app you download before you install it. Make sure the description matches the purpose of the app, and that all spelling and grammar seems right. If the app isn’t what it says it is, there should be some signs upon deeper investigation.

Share This

Leave a Reply

More Articles

Featured image for “Microsoft May Be Trying to Earn Back Trust in Cybersecurity”
Apr. 30, 2024

Microsoft May Be Trying to Earn Back Trust in Cybersecurity

Featured image for “Email Isn’t Always Secure (but It Can Be)”
Apr. 30, 2024

Email Isn’t Always Secure (but It Can Be)

Featured image for “You Should Check Which Apps on Your Smartphone Are Using Your Location”
Apr. 23, 2024

You Should Check Which Apps on Your Smartphone Are Using Your Location

Featured image for “Protect Your Privacy By Forwarding Your Emails Through a Decoy Account”
Apr. 23, 2024

Protect Your Privacy By Forwarding Your Emails Through a Decoy Account

Featured image for “Don’t Send Important Business Information Over SMS”
Apr. 16, 2024

Don’t Send Important Business Information Over SMS

View All

Sign Up for weekly MERIT Security Briefing

By signing up, you agree to our Privacy Policy.