A whileback, Brock and I were impatiently waiting for WiGLE's beta app update. It was was WiGLE just added bluetooth to their platform and it was a big move for us (was that like, 2 years ago?). I went to get the app from WiGLE, but Brock simply google'd the app and downloaded it. I was unsure how this page was already a google result, and he showed me he downloaded it from another apk site. When I objected, he didn't understand. I explained the dangers Rogue Apps present, but also, I then downloaded it anyway to see if my concerns were justified on an old-lab-phone.
Rogue applications are those which are not created and published by the developer. In general, rogue apps are an Android centered issues (and FireOS - ketchup; fancy ketchup). Back in 2018, RSA published a white paper in which 28% of online fraud were rogue apps, and has seen a 300% surge in 2019.
Before discussing what's wrong with rogue apps, let's use an example:
Instagram's legitimate Android app:
Instagram rogue apps - for the sake of my argument I made sure I linked ones that as of Aug 13th were all the same version 220.127.116.11.96
- this website even has the verified hashes published, but we'll get back to that
- published MD5: eda1e31e06ef33befe363baf4d933712
- actual MD5 hash of file downloaded: AF63391C984586B94C0628E9110EB0B1
- published SHA-1: 554405e32a708c29adbd04b8a3914c255380ba79
- actual SHA-1 hash of file downloaded: 8BF651DA9CE9A052C52A38F7DE978C4C13935221
- The app has been modified since the developers' publication. I assume - if this was an desktop application people would take it more seriously. But for some reason, the risk of having an app with privileged access to your device does not trouble many people.
I'm not sure why the apk site in the fourth example above published the hashes of the legitimate application, when their hashes would not match? I'm sure it's to give a false sense of security on the site, suspecting that no one would actually checking the hashes.
- Future research on this can be done by reverse engineering the app.
- Personally, I find advertising to be annoying, although that's not a malicious interaction. Why have an app with ads, when the legitimate app does not?
- Someone else is making ad profit off others' work. Of course, this is copyright infringement against the legitimate app developer. While content theft is wrong, I find it extra venomous that the apk site makes money of the legitimate developers' work.
- Malvertising. The ad services the apk sites use are bottom of the barrel, common ads. The barrier for entry to advertise with these services is very low, and it's very easy to slip in malicious advertising.