Since many people have mobile phones and rely on them to help manage many aspects of their personal and work lives. It should not be a surprise that scammers relentlessly target unwitting consumers’ phones to trick and them out of money and access their financial, email, and social media accounts. Even very savvy consumers can be taken in by a well-planned and flawlessly executed fraudulent scheme that has been practiced hundreds or thousands of times by experienced crooks.

One type of attack by fraudsters is creating mobile phone (and tablet computer) software applications (“apps”) that are either entirely malicious or apparently provide some innocent, legitimately useful function while also secretly harming the user’s phone and accounts by hijacking the phone, stealing information, and sharing it with scammers. These malicious apps—also called malware—can look perfectly helpful and authentic, but looks can be quite misleading.

In 2023, there were news reports that what seemed to be a formerly innocent app wasn’t behaving as it should, although it came from the web store Google^® Play and therefore should have been screened for inappropriate behavior. According the technology-focused website Ars Technica, “The app, titled iRecorder Screen Recorder, started life on Google Play in September 2021 as a benign app that allowed users to record the screens of their Android devices… Eleven months later, the legitimate app was updated to add entirely new functionality. It included the ability to remotely turn on the device mic and record sound, connect to an attacker-controlled server, and upload the audio and other sensitive files that were stored on the device.”

Spying and hacking apps can be disguised as games for children and adults, as utility apps supposedly designed to help better perform a task such as video editing, or they can imitate other types of fun or useful software. The technology site TechSpot.com noted in May 2023 there was a fast-growing trend by hackers to design malware that purportedly could connect to legitimate artificial intelligence (AI) programs to provide conversation and information similar how a human would write or speak, but the AI connection programs are actually unauthorized fake “"fleeceware" – software that quietly sticks users with subscription fees.”

Since bad apps can be hard to distinguish from safe apps that perform exactly as they describe, what precautions can someone take to lessen the chance that they will be installing malware on their mobile device?

What to do before installing an app on your mobile phone or tablet computer

1. Try to get your apps from the leading app stores, as they are generally, but not always, safer than an independent developer’s site. While any online store may unintentionally (or deliberately) host harmful applications disguised as helpful software, company-operated stores such as Google^® Play and the Apple^® App Store have testing and examination procedures to research apps before they are allowed to be released for public download. These stores also continually review previously released apps to determine if they may be performing illegal and dangerous actions after their release; once identified, the apps are deleted from the stores and the responsible developers may be permanently blocked from offering any other apps to the stores. Third-party app stores may not have procedures for discovering if the software they offer is safe.
2. Do some research on the developer of the application. Does the phone app come from a legitimate company? How would you know? Investigate and try to find out. See if the company has a website and check it out, look for reviews from users of the app or other apps from the same developer, and find out if the company is listed with the Better Business Bureau.
3. Is the app appear to come from a well-known company, or is it just using part of a trusted company’s name to fool consumers? Name brands count; apps from well-known companies are often thoroughly tested and cleared of bugs or unintended malicious features. So an app from a company titled GOOGLCO is not the same as an app from Google^®, LLC.
4. Is the app listed in the App Defense Alliance directory? The mission of the software industry organization App Defense Alliance is ensuring the safety of Google^® Play and the broader app ecosystem. The App Defense Alliance is focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. The app directory of the App Defense Alliance has details on verified apps and names the independent software laboratories that tested and validated their trustworthiness. The App Defense Alliance app directory may not be absolutely comprehensive, but it is an information resource to check. While no review, verification, and classification system is perfectly protected from being tricked by unscrupulous fraudsters, checking the directory of App Defense Alliance may help indicate that an app is safe to use.
5. Review the reviews of the app, and especially pay attention to negative reviews. Reviews for a malicious app can be entirely fake, but it still may be helpful to read what reviewers apparently are saying about the software. Look for detailed reviews and a selection of negative or 1-star reviews to see what issues users have encountered with the app and whether the developer has responded to the comments and attempted to fix some problems. Scammers will generate a large number of brief, positive reviews (such as one or two words) and fake positive votes to increase the apps overall rating and it move up the numerical rankings to become one of the top-rated apps. Top-rated apps tend to get more visibility and downloads.
6. Look very closely at the permissions that an app is asking to use and then ask yourself if it needs all of those permissions. Malicious apps that want steal information or hijack accounts will ask for permission that may not be logical and appropriate for their function. A QR code reader or spreadsheet editing app most likely shouldn’t need access to personal contacts, the camera, microphone, geographic location, passwords, or any other sort of sign-in or sensitive personal or financial information, such as a credit card number. Many apps also shouldn’t need to report information back to the developer. Any app that is requesting access to information that intuitively seems incompatible with its stated function is risky and a user should be wary of authorizing its permissions. To check what permissions are currently active for apps for two types of mobile phone operating systems, on Android phones you can click on “Settings” then click “Apps,” click on an app, then click “Permissions” to allow what it can or cannot access. On Apple^® iPhones, click on “Settings” and then “Privacy & Security” to grant or deny permissions.
7. Is the app’s developer making grandiose and possibly unrealistic claims about its ability to improve the performance of an activity, such taking photos, editing videos, or offering free phone service? An app (especially one that is free) that promises significant benefits to an activity should be approached very cautiously. Commitments to provide valuable benefits for no or low cost are a standard selling approach to promoting malware and other bogus services or products.

Protecting yourself at Delta Community

If you think any of your Delta Community accounts have been compromised because of phone, text, online, or app activity, immediately contact our Member Care Center via our toll-free number at 800-544-3328 with whatever details you have, including dates, times, amounts of money, email messages, email addresses, text messages, phone numbers and names.

Please remember that Delta Community will never call, text or email you to ask for your checking, savings or investment account, ATM, debit or credit card numbers or passwords, your telephone access (IVR) PIN, or one-time passcode. If someone purporting to be from Delta Community calls and asks for any of this type of information, hang up and call the Credit Union.

Would you like to check out more ways to try to avoid scams?

More information on protecting yourself and your accounts—along with financial guidance—is available from free Delta Community Financial Education Center webinars on many different money-related topics. You can visit the Financial Education Center's Events & Seminars page to register for its no-cost, on-demand webinars.

Delta Community’s blog and security posts have a lot of advice on handling online personal security:

• Avoid fake check scams.
• Learn check-writing tips.
• How to hang up on imposter scams, part 1.
• How to hang up on imposter scams, part 2.
• Did you know that only scammers get paid with gift cards or cryptocurrency?
• Think for a minute, and then don’t click 'unsubscribe' from spam emails and texts—managing spam.
• Learn how to make your mobile and online payments safer.
• How to protect yourself online while working or learning from home.
• Why to question your security questions.
• ​How to secure your home network.
• You should know how to tell if someone’s stolen your identity and how to prevent it.
• How to get a stronger password and use a password manager.
• Be on the lookout for phishing, smishing and vishing attacks.
• Be vigilant for spoofed phone calls.
• Harden your email account against an attack.