FBI: Mobile Beta-Testing Apps Are Major Security Risk

Written by

The FBI has warned consumers not to download apps labelled as in beta test mode as they might be involved in scams designed to steal cryptocurrency and other assets.

The apps are typically used in crypto investment scams, with victims directed to download them via other scams, the Feds said in a Public Service Announcement (PSA) yesterday.

“The malicious apps enable theft of personally identifiable information (PII), financial account access, or device takeover,” the PSA read.

“The apps may appear legitimate by using names, images, or descriptions similar to popular apps. Cyber-criminals often use phishing or romance scams to establish communications with the victim, then direct the victim to download a mobile beta-testing app housed within a mobile beta-testing app environment, promising incentives such as large financial payouts.”

Read more on investment scams: Investment Fraud Surges as Cybercrime Losses Hit $7bn in 2021

The scams work well because mobile OS security checks are limited when it comes to beta apps, meaning their malicious code is often missed, said the report.

The FBI listed a number of tell-tale signs that an application may be malicious. These include a battery draining faster than usual and slow processing speed, persistent pop-ups and requests for permissions that don’t match the described functionality.

The PSA also warned that malicious apps may also have spelling/grammatical errors and vague descriptions in the app store and/or a high number of downloads with few reviews.

“If a victim downloads one of these fraudulent beta-testing apps masquerading as a legitimate cryptocurrency investment app, the app can extract money from the victim through fake investments,” it added.

The FBI urged mobile users to keep their devices updated, restrict app permissions and uninstall any apps they don’t use. They should also be on the lookout for phishing emails, even those that appear to be sent from friends and legitimate contacts.

“Do not send payment to someone you have only spoken to online, even if you believe you have established a relationship with the individual,” it warned.

What’s hot on Infosecurity Magazine?