Chameleon gambling apps wiped from App Store, Google Play

Updated: Developers mask their apps to circumvent heavy restrictions on gambling.
Written by Charlie Osborne, Contributing Writer on

If online and app-based gambling is of interest to you, it is easy to find gambling software in both Apple's App Store and Google Play.

However, both tech giants heavily regulate this industry to prevent overcharging, misuse, abuse, and flouting of local laws, which vary from country to country. 

This doesn't mean that shady developers who wish to lure unwitting handset users into downloading and installing gambling apps are deterred -- and recent research has revealed just how far some of them will go. 

On Thursday, cybersecurity researchers from Trend Micro said they found "hundreds" of fake apps in both stores, all of which masqueraded as legitimate offerings before being unmasked as fake apps designed to pivot users towards downloading gambling services. 

See also: Political targets at risk as Fancy Bear returns with refreshed backdoor malware

For example, one app was described as a hub for holiday information, whereas in reality, the app would redirect users to a lottery system. Wine, weather, and entertainment apps were also found to be fraudulent. 

Some of the apps, unfortunately, were spotted in Top 100 lists and had been rated over 100,000 times, revealing how entrenched the fake apps were in the repositories.

The applications impersonated genuine content in both stores and could also be downloaded outside of the App Store and Google Play. In Android's case, users would be directed to an APK file, but when it comes to iOS, external downloaders would simply be directed back to the App Store. 

CNET: Hackers set up a fake veteran-hiring website to infect victims with malware

Once downloaded and installed, the apps would, at first, behave normally. However, each app contained a 'switch' in which fraudsters could set an app to show its true gambling content. 

Trend Micro believes it is this API that was switched off during review processes, allowing them to pass inspection. 

A connection between some of the fraudulent apps was found via a command-and-control (C2) server. The C2 controlled at least three of the applications and when researchers tried to access it, they accidentally shut down the "switch" which loaded the malicious content in the run-of-the-mill apps -- and therefore, the apps began to behave normally.

"At the time of our research, these apps only seem to use WebView to load a gambling website, and do nothing malicious on the device," Trend Micro says. "However, fake as these apps may be, they still outranked the apps they impersonated."

TechRepublic: Latest research says organizations need to integrate security principles with DevOps

Apple and Google were notified of the researcher's findings and every fake app has been removed from the App Store and Google Play. 

Update 13.56 BST: A Google spokesperson confirmed the removal of the apps but had nothing more to add. Apple said all of the apps were removed from the App Store before Trend Micro contacted the company, and the developers have been escalated for termination from the App Developer Program.

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards