Malicious actors are using a new tactic to defraud victims, which involves embedding malicious code in mobile beta-testing apps, the US Federal Bureau of Investigation (FBI) has warned. The beta apps typically are not subject to mobile operating systems' review processes.
“The malicious apps enable theft of personally identifiable information (PII), financial account access, or device takeover. The apps may appear legitimate by using names, images, or descriptions similar to popular apps. Cyber criminals often use phishing or romance scams to establish communications with the victim, then direct the victim to download a mobile beta-testing app housed within a mobile beta-testing app environment, promising incentives such as large financial payouts,” the FBI noted in an alert.
The agency said it is aware of scam operations where threat actors contact victims via dating and networking apps and instruct them to download mobile beta apps, such as cryptocurrency investment apps that steal crypto assets from users.
The FBI has shared some tips on how to identify a malicious beta app:
-
Mobile battery draining faster than usual
-
Mobile device slowing down while processing a request
-
Unauthorized apps installed without the user's knowledge
-
Persistent pop-up ads
-
A high number of downloads with few or no reviews
-
Apps that request access to permissions that have nothing to do with the advertised functionality
-
Spelling or grammatical errors, vague or generic information, or a lack of details about the app's functionality within the app description
-
Pop-ups that look like ads, system warnings, or reminders
The security alert also offers recommendations on how to avoid falling victim to such scams.
