The Threat of Rogue Mobile Apps to Retail and Hospitality Brands

Your application security program should include monitoring and takedown of rogue mobile apps to protect your brand reputation and your customers’ credentials.
The Threat of Rogue Mobile Apps

Mobile apps can serve as a convenient way for your customers to do business with you from their smartphones, but just like criminals can attempt to spoof your domains, they can also spoof your mobile app, even if you don’t have one. Rogue mobile apps are applications that use a trusted brand name to steal information for use in fraudulent transactions. Rogue apps can exist in legitimate app stores as well as unofficial app sites offering downloads of APK (Android application kit) files. Rogue apps can be damaging to your brand reputation and can result in loss of sales, so it is important to monitor for them and take them down when discovered.

What Do Rogue Apps Do?

The goal of rogue apps is generally to make money, but there are a couple of different ways that that is accomplished.


Fleeceware refers to applications that make their money by charging hidden fees. Attackers will take an app that should be free, whether that is a flashlight app, a horoscope app, or your company’s app, and upload it to an app store where users download it. They will generally offer a free trial period at first download and then begin charging exorbitant fees, often taking advantage of people not knowing how to stop a subscription after they’ve deleted the app. These apps aren’t flagged by the app stores because there isn’t any malware; they’re simply abusing features such as free trials and in-app purchases that legitimate apps also employ.

Stealing Credentials

One of the popular uses for fake apps is to steal user credentials. When the user opens the app, they are asked to sign in. The malicious actor now has their credentials which they may be able use on the real app to commit fraud. Even if the stolen login information doesn’t provide a significant reward in the app they’ve spoofed, chances are it will be useful somewhere else. According to Spycloud, 76% of Fortune 1000 and FTSE 100 employees are reusing passwords across work and personal accounts. The threat actor now has a confirmed password that they can try across various sites to gain access to bank accounts, email accounts, social media sites, and more.

Deploying Malware

Once a user downloads the app, it may use pop-up windows to entice users into clicking on “clean-up” software that infects them with malware. Apps on APK download sites are more likely to contain malware as there is even less regulation of them than there is in verified app stores. Phones can be equipped with anti-malware software, but they often aren’t because people don’t think of their phones as being susceptible to those types of attacks in the way that they do their computers, making this particularly dangerous.

Asking for Permission

When you download an app, a notification will pop up asking you to grant permission for it to access other features on your phone, such as connecting with your social media apps or accessing your photos and contacts. Users will often just grant apps permissions to get that screen out of the way so they can move on to the reason they downloaded the app. But in the case of rogue apps, granting these permissions can be dangerous as you’re giving the threat actor access they can use to escalate privileges to continue stealing more and more of your information.

How Do Rogue Mobile Apps Impact Your Brand?

Let’s say that a criminal has created a rogue app impersonating your brand and has placed it in verified app stores. Maybe you don’t have a mobile app, so this app is the only search result, and it looks legit. Maybe the attacker has done a good job of impersonating your real app’s look, and the unsuspecting, distracted user doesn’t realize they’re not downloading the right app. Either way, the user has ended up with an app seemingly representing your brand that will not perform the functions they wanted from it. Retail and hospitality brands rely on brand reputation. A negative experience will not only stop the customer from making the purchase they were trying to make when initially downloading the app, but it may discourage them from future purchases as well, as they remember this negative interaction the next time they need something. Rogue apps can result in long-term brand reputational damage, as well as financial losses from missed transactions.

How Do You Stop Rogue Apps?

The first step in stopping rogue apps is detecting their existence. There are a number of monitoring services out there for rogue apps, often offered by the same companies you’re using for other elements of intelligence, such as monitoring your presence on the dark web or spoofing of your domains. You’ll need some type of monitoring tool for this because it is simply not practical to keep up with looking for rogue apps manually. When you do find an app impersonating your brand, your organization’s legal team, or the company you’re using for monitoring, can submit a Digital Millennium Copyright Act (DMCA) takedown request. You’ll need to prove that you have the copyright that is being infringed upon and demonstrate where it is being used. In the case of apps on legitimate app stores, the app store provider will usually have a form that you can submit, such as Apple’s content dispute form or Google’s intellectual property infringement form. The APK download sites should also have DMCA policies that tell you how to submit a claim, such as this one by APKMirror.

Interested in finding a brand monitoring vendor? Check out this discussion post on RH-ISAC’s member community in which members share the vendors they trust for taking down brand impersonating sites. Not an RH-ISAC member? Learn more about how being a part of the RH-ISAC’s member community can benefit you.

More Recent Blog Posts