Mobile security: These health apps aren't good for your phone or your privacy

As people turn to mobile apps to help manage health conditions, cyber criminals have realised there's money to be made.
Written by Danny Palmer, Senior Writer

People looking for information about diabetes and other conditions could be at risk from having their private information stolen and privacy invaded by cyber criminals.

Malicious Android applications targeting people living with diabetes were detailed by Axelle Apvrille, principal security researcher at Fortinet, during a presentation at the Virus Bulletin 2019 conference in London.

For cyber attackers, there's a simple reason why they're producing malicious health-related apps – because they can easily be used to steal data or install malware, or both, from a large number of people.

One malicious app claims it will predict your life expectancy if the user answers a list of questions about their health – providing the user with a wallpaper featuring the predicted number of minutes. However, information entered into the form was being sent to a remote server in a move that the application doesn't advertise – something the researchers are highly suspicious of.

SEE: 10 tips for new cybersecurity pros (free PDF)  

A second diabetes management app was more obvious about its malicious nature. Available as a free download, the app wouldn't work as advertised unless the user downloads other applications that are full of adware.

"It was preventing me from getting access to the application unless I agreed to download 'sponsored' applications which are full of pop-up adverts," said Apvrille.

A third malicious application actually does provide advice on diabetes, but also tracks almost everything the user does – including the GPS location of the device, its IP address and the other apps on the device, putting the privacy of the victim at risk. This app also relentlessly pushes pop-up adverts on the victim.

But despite the shoddy nature of these malicious applications – many of which don't even provide basic advice on managing diabetes – those who download them might just put up with the interference.

"Because if you have diabetes and need those applications, you might put up with those pop-ups, because you need it," Apvrille explained.

"Cyber criminals are making a profit out of that," she added.

SEE: Smart home maker leaks customer data, device passwords

Unfortunately, this could just be the start when it comes to cyber criminals targeting people with health issues, especially as more people turn towards applications and internet-connected devices to help manage conditions, because a rise in popularity will make the attack vector more appealing to attackers – especially if they can use it to get their hands on sensitive personal information, including data about health conditions.

Medical records are already being sold on dark web forums and if cyber criminals can use malicious health applications to scrape more data – then it's highly likely they'll do so.


Editorial standards