Beware of fake tax apps pushing malware

With the self-assessment tax deadline fast approaching in the UK, self-employed individuals will be looking to take advantage of the many apps that are on the market to help make the tax return process as smooth as possible. Unfortunately, there is a real and pervasive problem of tax-related cybercrime.

It is not uncommon for cyber scams to be tied to current affairs, as this ensures that they are far-reaching and timely. When it comes to apps, for every good and useful app that exists, there will nearly always be malicious individuals looking to exploit its popularity to try to steal from unsuspecting individuals.

Education among end-users has come a long way in the last decade. With the rise of malware, there has also been a rise in user awareness. But it’s simply not possible for the general public to be well versed in all the potential threats that exist and arise. For example, users may have their guard up when it comes to suspicious hyperlinks, emails, and websites, but many let their guard down when it comes to malware in the form of applications.

Masquerading as legitimate apps, these programs are designed to harvest user data and facilitate identity theft and payment redirection. Often these fake apps are published on third-party app stores, outside of those natively available from the device manufacturer (e.g., the Google Play Store on Android or the App Store on iOS). However, some occasionally make it onto these first-party app stores as well.

A game of stealth

When it comes to fake tax apps, for example, the crooks’ main approach is sleight of hand. In many cases, bad actors will reverse engineer legitimate apps, add malicious code to it, and then upload the package on app stores. If the attacker or attack group are good, the app will appear to be the real deal and will function in the same way but will also covertly function as a platform to launch wider malware attacks on a phone or desktop.

Threat actors commonly code these fake tax apps to use the official filing APIs used by legitimate apps. In part, this is to try to maximize their longevity on whichever app store they are on. By using these APIs, the malicious apps may help users to file their tax returns but they may also use privilege escalation mechanisms to copy sensitive information to criminal databases. Hiding in the background of what seems to be a legitimate app, bad actors could, for example, process payment requests where the payee details are that of a criminal organization or threat actor, rather than the intended recipient (in this case, the tax authorities).

Another example of malicious activity might include requesting access to the camera roll and then scanning images for any documents that might include personally identifiable information (PII), such as a passport or driving license, which can be used to facilitate identity theft. Many of these apps may also carry out keystroke logging: the app may requests to install a custom keyboard that looks identical to the system keyboard and then use it to harvest sensitive data – such as private messages, passwords, and even credit card details – entered into other apps.

In the last five years, several vulnerabilities have been discovered within the Android and Apple operating systems that threat actors exploit to steal information via fake apps. In 2019 and 2020, two major Android vulnerabilities – dubbed Strandhogg and Strandhogg 2.0 – allowed, among other things, fake apps to masquerade as legitimate ones, meaning that attackers could gain access to people’s private information and services, including bank accounts, camera, photos, and messages. These privilege escalation vulnerabilities are classic examples of how bad actors can use malware to imitate legitimate apps and siphon off sensitive data.

Mitigating risk

Apple and Google should better police their app stores, but some responsibility for risk mitigation must also lie with the end user. Anyone looking to use an app to help file their taxes must be vigilant. While some apps have slipped through Apple’s and Google’s safety net in the past, as a rule, it’s much better to download an app from there than from a third-party app store.

Legitimate app publishers could also do more to ensure that their apps aren’t reverse engineered, tampered with, and republished by criminals. Certainly, any app that takes payments ought to have its own integrity controls in place. The increased use of in-app protection tools has paved the way for developers to mitigate the devastating consequences that cyber attacks on these apps can have.

In any case, users should always double-check and download apps from respected developers and should always remain cautious. The phrase “trust your gut” springs to mind. If an application requests far too many permissions, such as to access the camera, record audio, install keyboards, or to download data and change settings, these should be red flags, especially if they have nothing to do with the apparent functionality of the app.

Additionally, real apps (or at least the good ones) will offer added security features such as multi-factor authentication and/or, where applicable, biometric authentication. Those looking to utilize apps to help with their taxes should be on high alert for those exhibiting suspicious behavior. There are plenty of legitimate apps to use and the consequences of accidentally using a fake app could be far worse than missing the tax return deadline.