back to article Download alert: Nearly ALL top 100 Android, iOS paid apps hacked

Downloading mobile apps from non-official sources has become a lot more dangerous over the last year, with apps now needing more built-in protection, according to a new report. The number of Top 100 iOS apps that have been hacked1 over the past year increased from 56 per cent in 2013 to 87 per cent in 2014. The majority (97 …

  1. GettinSadda

    Simple Really!

    > "Downloading mobile apps from non-official sources..."

    And there we have the whole story summed up in the first line. Buying prescription meds under the counter from a guy at a gas station? You're going to end up in a bad way! Downloading apps from an unofficial site? Ditto!

    1. Anonymous Coward
      Anonymous Coward

      Re: Simple Really!

      But, but, but...

      FREEDOM!!! It's my device! etc...

      1. Raumkraut

        Re: Simple Really!

        With great freedom comes great personal responsibility.

      2. Anonymous Coward
        Devil

        Re: Simple Really!

        Yep, you are FREE to be STUPID!!!

        1. Michael Habel

          Re: Simple Really!

          More like... Dare to be stupid...

      3. danbi

        Re: Simple Really!

        Yes, you have the right to injure yourself too!

        What you can do to yourself, no one else can...

      4. Anonymous Coward
        Anonymous Coward

        Re: Simple Really!

        ...forgot to add the /s.

    2. thames

      Re: Simple Really!

      I wonder what percentage of cracked Windows and Apple PC applications on pirate download sites contain malware? In either case, the solution is to simply not download and install pirated software from sources that you can't trust.

      I understand the main market for pirated phone apps results from the fact that many people in a lot of third world countries either don't have credit cards to buy apps from the official stores, or their credit cards come with currency exchange restrictions, or their credit cards are a brand which isn't accepted by Google or Apple. Nokia used to handle this situation through carrier billing.

      1. chris lively

        Re: Simple Really!

        Probably all of them

      2. Anonymous Coward
        Anonymous Coward

        Re: Simple Really!

        It's pretty low - I've *cough* "evaluated" a few Windows games to see if they were worth buying and found very few issues.

      3. danbi

        Re: Simple Really!

        If Nokia did this somewhere, it was far from universal.

        Some people often think it's inappropriate to pay for software. Some well known software companies taught them so in an attempt to be present "everywhere". Then cried "pirates"..

        Everything has it's price. It's not always in money.

    3. Tom 35

      Re: Simple Really!

      It seems people buy little blue pills from spammers all the time so how surprising is it if they install apps from scummy app stores (it seems the iOS hacks were mostly delivered in spam too).

      1. Cliff

        Re: Simple Really!

        What kind of muppet side-loads illegit financial apps?

        1. John Tserkezis

          Re: Simple Really!

          "What kind of muppet side-loads illegit financial apps?"

          Presumably the ones who want to, ahem, save money.

  2. Pat 11

    I call BS

    What proportion of those "hacked" (ie cracked) apps do anything malicious, and what proportion have just had their licensing removed for piracy?

    1. Just Enough

      Re: I call BS

      If you are the developer of the cracked app, does it matter? It's still a real concern for you and something that the report highlights.

    2. Andy Nugent

      Re: I call BS

      Years ago we had a fairly popular Symbian app in the Nokia/Ovi Store (free and a "pro" version available for about €1) that was available on numerous pirate sites (some with more downloads than we'd had paying users). The majority had a 20-30% increase in the file size for the "cracked" pro install. Maybe the crack to remove the license check was just really large, but I'm guessing there was a lot more packaged in with it.

  3. chivo243 Silver badge

    Have to distinguish

    Must be using jailbroken iOS devices to get hacked apps.

    Jailbreak your iOS device, and you get what you want, and then some. I can't speak for android, I won't touch it...

    1. goldcd

      Re: Have to distinguish

      Speaking for 'Android'

      We don't have to jail-break to install our own apps - but you have to specifically enable the option to allow this.

      I thought on iOS you could also do it with a corporate license (i.e. your company puts a cert on your phone, they sign their custom apps, they can be installed on your phone directly).

      I've no idea what the big deal here is though. If you run random code on your machine, it can do all manner of things (which is why you don't run random code on your machines). Just on phones, you have to jump through some hoops to do this (which simply makes it even more stupid).

      1. chivo243 Silver badge
        Mushroom

        Re: Have to distinguish

        @goldcd

        'Speaking for 'Android'

        We don't have to jail-break to install our own apps - but you have to specifically enable the option to allow this."

        As much as I dislike the Apple closed system. I feel it protects the non-sysadmins and nerds that hang ut here on the Reg.

        As to random code, I think any 'droid store vs. the app store is a no brainer, one has "some' controls, and the other has less than none.

        BTW, I hear pastebin has your info... Don't blame me...

        can I get another downvote? Say it with me Hallelujah!

  4. Frank Bitterlich
    Childcatcher

    Metrics?

    I suspect that what they do is to scan the black app markets for anything malicious that uses the name or look of any of the top apps, and if they find one, voilá, "WhatsApp has been HACKED!!!111!!!"

    Try to offset the actual number of malicious or really "hacked" instances of downloads to the total number of (legit) downloads of those top 100 apps, and come back when you have real numbers. Thank you.

    I'll take that report for what it is: advertising disguised as a "press release."

    1. Anonymous Coward
      Anonymous Coward

      Re: Metrics?

      "I'll take that report for what it is: advertising disguised as a "press release." "

      Well, if it was, it wasn't a very convincing one.

      1. Anonymous Coward
        Anonymous Coward

        Re: Metrics?

        Using my personal definition of a press release as "Marketing/PR drivel breathlessly touting itself as news", I thought it ticked the boxes nicely.

  5. DrXym

    Fabulous news

    I see absolutely no downsides with using hacked apps from some dodgy Chinese app store. I'm sure the cracked apps need all those permissions for a good reason.

    1. Paul Crawford Silver badge

      Re: Fabulous news

      I'm sure the official+cracked apps need all those permissions for a good reason.

      Fixed it for you...

  6. Anonymous Coward
    Anonymous Coward

    Better Headlijne

    Do something stupid - pay the price.

  7. Tikimon
    Devil

    Does it really matter?

    Consider the state of an un-hacked phone. Carrier and partner-sponsored spyware on it, Google or Apple watching and selling you out, every cop on the planet slurping your phone and data traffic. Partner agreements swapping and selling your most personal information to all and sundry.

    Ok, now you're hacked. What's really different?

    Smartphones: hacked from the factory.

    1. Anonymous Coward
      Anonymous Coward

      Re: Does it really matter?

      Why are people down-voting this guy's comment? Do you think this isn't happening? Or do you think this is OK? Or something else?

      Seriously, I'm interested to know.

  8. G R Goslin

    It's all very well

    It's all very well telling us about percentages and such. But how about telling us WHICH apps are suspect?

    1. Anonymous Coward
      Anonymous Coward

      Re: It's all very well

      Well my maths might be a bit out but according to this part of the article, 'The majority (97 per cent) of top paid Android apps have been hacked', I'd say 97 out of the top 100 paid for ones.

      It might be easier to list the 3 that aren't.

      Why can't I install and run the apps from within a sandbox where it appears that all the access rights requested are given but in reality aren't (a sort of protected mode) ?

  9. sandman
    Joke

    Winphone

    Nobody's hacked our App yet ;-)

    1. Salts

      Re: Winphone

      Who?

  10. Lamont Cranston

    Paid apps?

    How quaint.

  11. Barbarian At the Gates

    X % of top apps have been "hacked"

    But how many of the hacked...er...repackaged apps are in the top 100?

    Because it sounds like to me this particular mouthpiece is calling a knock off app that has similar name/icon/function with added "features" buried in the pile of phone apps at position one million a "hack" of the original application. But the genuine app is probably just fine, and isn't compromised.

    This press release is akin to a web ad banner screaming YOUR COMPUTARS ARE INFECTION! CLIK HERE NOW TO FIX!

    <sarcasm>This sounds totally legit to me. Buy with confidence!</sarcasm>

    1. Anonymous Coward
      Anonymous Coward

      Re: X % of top apps have been "hacked"

      I think as far as iOS goes, he's probably talking about "hacking" it to allow it to be installed for free on a jailbroken device. That's not the same thing at all as modifying it to steal your info or whatever other nasty stuff.

      I suspect that if you don't count this, the percentage of top 100 apps in the iOS App Store is zero, but their line of business depends on people thinking there is a huge problem out there which simply doesn't exist.

  12. Haku

    Freemium / In-app purchases / Microtransactions

    I think some people are just trying to avoid paying microtransactions, which are anything but micro for a lot of the freemium stuff.

  13. Steve Medway

    whoopie do most apps have been pirated

    So what if you can download a knocked off version of most popular iOS / Android apps and load them onto a jailbroken/rooted device if you use a dodgy respoitory.

    Why are they so desperate to not use the word *pirated*... because nobody would care about their PR missive if they did. It's not as if Apple and Google don't know about it.

  14. Gis Bun

    Apple always stated to download from the AppStore(TM) because it is safe and tested. Bull droppings!

  15. Anonymous Coward
    Anonymous Coward

    Freedom.apk

    Does what the name on the tin says...Free's you from micropayments! I don't mind paying for an app, I do mind the app turning to crap once installed though.

    What kind of metaphor do we have for this? It certainly isn't "It fell off the back of a truck" maybe "They gave me foreplay, I gave them dick"

    Answers on a postcard

  16. Henry Wertz 1 Gold badge

    What are they talking about?

    My question, what are they talking about? After reading both the El Reg article, and the Arxan site, I can't tell.

    By a "hacked" app, do they mean:

    1) Exploits exist against an application, so unauthorized information can be retrieved from the application and phoned home to some naughty malware author?

    2) The unauthorized copies of these applications have various malware added into them?

    3) Just like cracked PC software; the "adding or modifying many attributes and behaviours that the app did not originally have, such as having security controls bypassed or unauthorised functions" means bypassing licensing checks and enabling the paid features you wouldn't get otherwise (in the case of apps with a free and feature-added pay version)?

    Don't get me wrong, the software on offer from Arxan appears to be meant to harden Android apps, so it would likely help against all of those 3 scenarios (make it harder to exploit, harder to crack, and so harder to ship "malware added" versions of the software too.) But I'd be more worried about loads of exploitable apps than finding out that dodgey free versions of paid software exist (which honestly wouldn't surprise me much at all.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like