En español | There’s a frightening reality when it comes to fraud: The bad guys generally know where to find you. And crooks are snookering victims through myriad apps that people willingly download onto their smartphones.
App fraud takes different forms. Some apps carrying malware or malicious code are copycats, if not outright fakes. Some provide what is promised in their descriptions but lure you with free trials that quickly convert into costly and difficult-to-cancel subscriptions. Some fleece consumers for services that are free or inexpensive elsewhere.
And sometimes fraudsters exploit perfectly legitimate apps from reputable developers for nefarious purposes — to steal your data, identity or money.
“Facebook started with good intentions to connect people from all over the world, but we know it’s a hotbed for scams. Same with LinkedIn, Instagram, Words With Friends, any of those spaces,” says Amy Nofziger, director of victim support for the AARP Fraud Watch Network. “Where people are at, the scammers will meet you there, and they will use them to their advantage.”
Folks download apps for lots of swell reasons: convenience, entertainment, social networking, utility and because they may even save money. The prevalence of apps fraud is not a reason to ditch them. But neither should you have a false sense of security because you are using an app rather than patrolling cyberspace on your PC or reading suspicious emails, situations in which you may have been conditioned to be more cautious.
Here are some of the warning flags of potentially fraudulent apps, along with steps to minimize the risk.
Consider where the app came from
“The biggest threat as far as getting a downright malicious app is getting it from a website instead of an app store,” says Christopher Budd, senior global threat communications manager at Avast, a digital security firm headquartered in the Czech Republic. Budd strongly recommends sticking with Apple’s App Store for iOS, and the Google Play Store for Android.
Even so, the risks are generally elevated on Android, experts suggest. Apple makes app developers go through tighter hoops before inviting them into its App Store. It remains to be seen what effect, if any, a federal judge's ruling on Sept. 10 allowing app developers to circumvent Apple's App Store payment system might have.
Android apps have a potentially less secure “open source” flavor. Open source software can be modified and shared because its design is publicly available. Historically if an Android version of a popular iOS app lagged, “the bad people would jump in during that window of opportunity and start offering their malicious lookalike for Android before the actual legitimate one came out,” Budd said.
But even Apple concedes that its App Store isn’t 100 percent immune from fraud. Nearly 2 percent of the 1,000 highest-grossing apps on the App Store are scams, according to a recent Washington Post analysis. Consumers were bilked out of an estimated $48 million.
Apple said it prevented more than $1.5 billion potentially fraudulent transactions in 2020 and rejected more than 48,000 apps for containing hidden or undocumented features and more than 150,000 for being spam, copycats or misleading.
Join today and get instant access to discounts, programs, services, and the information you need to benefit every area of your life.
Carefully investigate what’s free
“Freemium” apps encourage users to spend money for extra features, to remove advertising or advance in a game. Scammers aren’t exactly transparent about your financial obligations.
“Dig in on the store site to see what the payment requirements are,” Budd says. Closely examine the terms and conditions and in-app purchase descriptions, and be on the lookout for recurring charges. Make sure you are also aware of deadlines before payments begin. Report abuses.
Periodically review what subscriptions you have. On an iPhone, navigate to Settings | [Your Name] | Subscriptions. On Android, head to the Play Store, tap your profile picture, then Payments & Subscriptions. Check your bank statements for app charges that may be billed outside of Apple or Google.
Researchers at Avast this year identified some 200 so-called “fleeceware” apps with more than 1 billion downloads and $400 million-plus in revenue. Such apps, found in both the Apple App Store and Google Play Store, hooked consumers with short-term trials, only to change them to plans that ran as high as $3,432 annually.
In some instances, charges continued even after people deleted apps. The flagged fleeceware included musical instrument apps, palm readers, image editors, camera filters, fortune-tellers, QR code and PDF readers, and slime simulators.
To mitigate some risk, “use the applications and utilities that came with your phone” whenever possible, says Alexis Hancock, director of engineering at the Electronic Frontier Foundation. The nonprofit defends civil liberties in the digital world.
Budd has another tip that may work for some families, especially those who are trying to protect an elderly relative. Head to the parental-control sections inside the settings on the phone — they’re not just for safeguarding kids — and disable or restrict in-app purchases.
Read recent reviews and comments
Reviews are a mixed bag. Just as apps can be fake so can reviews. A flood of fawning and repetitive 4- or 5-star reviews can be a sign of something fishy. Read negative reviews, which may be more revealing.
“If [an app developer] made enough people mad, that usually helps” you detect an issue, Hancock says. See how many downloads an app has, and do your due diligence on the developer.
Know whom you are talking to
A telltale sign of a scam comes the instant you see a money request, typically from a swindler pretending to be from Amazon, the IRS, Social Security, a sweepstakes company or “tech support”. Or, perhaps, it is someone feigning romantic interest or claiming to be helping a loved one who got into an accident. Scammers use social engineering and prey on your emotions.
Beware of ‘stalker’
or spyware apps
Stalking apps, which also go by the names spyware and stalkerware, are apps that can surreptitiously monitor what you are doing, including passwords, phone conversations, and texts and emails. Some can turn on your camera and microphone remotely. Often they are surreptitiously downloaded onto your phone by a domestic abuser or a disgruntled ex.
Signs that such an app may be on your phone include a battery that seems to drain faster than it used to, changes in the phone’s settings, an unexplained increase in your data use and an abuser who either had physical access to your device or who seems to know an awful lot about your phone’s activity, according to the Federal Trade Commission.
On Sept. 1, 2021, the FTC sued the parent company of the stalkerware SpyFone app. The FTC says you won’t want to tip off an abuser by uninstalling the app but instead should contact a domestic violence counselor and possibly law enforcement.
Don’t let your guard down even if you initiated contact, Nofziger warns, with, say, someone you reached out to who was advertising the sale of cute puppies. App scams don’t necessarily start inside an app. An exchange can start over the phone, through a bogus phishing email, via text or in an instant message before the person asks you to download an app.
When the con artist does, your suspicions should be heightened. The app may surreptitiously unleash malware or spyware or effectively give the person the keys to your data. Nofziger has heard from victims conned into letting scammers remotely control their phones through apps such as Team Viewer and AnyDesk.
“If you have banking information, contact information, Facebook, whatever it is on your device, they literally have access to it,” she says.
Don’t send money
Nofziger is equally wary of peer-to-peer apps, including Cash App, Venmo and Zelle, that you might use to pay a babysitter or the kid who cuts your lawn. They’re convenient and legitimate. But they lack the protections you get with a credit card, which again comes down to trusting the recipient. For example, Zelle, which is owned by seven big banks, spells out on its website that because you authorized a payment that turned out to be a scam, you may not be able to get your money back.
“There’s no problem with the app per se,” Budd says. “What’s happening here is you’ve been duped or coerced into using that app as your conduit to facilitate the transfer of money to the fraudsters.”
Avoid pressure to move to another app
Criminals may ask people to download Google Hangouts, Telegram, WhatsApp or other communication apps to “get the person off of the platform where they met and take them to a channel that is not being monitored,” Nofziger says. Match.com, for instance, advises singles to keep exchanges inside the app until they get to know their potential dating partner better.
Don’t share location, contacts unless necessary
“Your phone is with you at all times, and a lot of applications ask for location information,” Hancock says. “I would say that’s the most leaky information probably for any app."
Don’t reveal other personal information inside apps, including who your contacts are. This can aid in constructing profiles around you or them and be used to target you with advertising or, worse, scams.
Run security software
As a last line of defense, especially on Android, make sure your device has up-to-date security software. That includes antivirus programs or a virtual private network (VPN) app from vetted providers.
“I never say anything makes you completely protected, but those layers of security can help you be more diligent,” Hancock says. She also recommends checking the security and privacy settings on your phone that are turned on by default, and if you’re not sure what they do, ask a tech-savvy friend.
“Knowledge is power in this case,” Hancock says, and it may help you avoid fraud.
Edward C. Baig is a contributing writer who covers technology and other consumer topics. He previously worked for USA Today, BusinessWeek, U.S. News & World Report and Fortune and is author of Macs for Dummies and coauthor of iPhone for Dummies and iPad for Dummies.