3 steps to avoid malicious mobile apps

Today, everyone has smart phones, from children to elders. Smart phones contains a bunch of applications that increase productivity in real life. Human today may spend time with smart phones even more than with human. Smart phones become a part of life, an accessories, and maybe secrets holder of everyone. People put almost everything in their phone, from photo, identity to bank accounts. This habit makes smart phones top priority target for hackers in hacking campaigns, to steal secrets, or simply money. These hacking campaigns usually exploit users’s low awareness or low knowledge about mobile app security factors. Android & iOS, as default, provide many mechanisms to protect users from getting hacked but the weakest point in the system is always human psychology. “Amateurs hack machine, Professionals hack people“. If you are afraid of hacking, this post is for you. This post hopefully can guard your mind up to defense against one of the highest risk factors in Internet era: cybercriminal.

Most of cyber security incidents – aka get hacked – known in public begins from a very non-technical step and can be performed by anyone, named Social Engineering. Social Engineering is a type of manipulation where someone tricks people into giving away sensitive information, access, or money—by exploiting human psychology rather than hacking systems. To steal data from your phones, 99% of time, hackers need to trick you to install malicious applications. Malicious applications, once installed, will silently steal data and send back to hackers. So, just by acknowledging which app can be malicious, you already get you safe 99%. The rest 1% is involved to Zero Day exploitations, which are real hacking, require top-notch hacking knowledge and skills, but will not be mentioned in this post. For more understanding about Zero Day exploitations, you can subscribe here then the-tech-lead.com will inform you when there is any article available.

Here we back to How to know if a mobile app is malicious!

1. Double Attention on download source

As a golden rule for mobile applications, only download from trusted store which is PlayStore and AppStore. PlayStore and AppStore is pre-installed on any Android or iOS smartphones. For any applications, only download from PlayStore app (for Android phones such as Samsung, Pixel, Nexus, etc) and AppStore app(for iPhones). Do NOT install any applications outside these 2 official stores, regardless any reasons, urgency or who tell us.

For Android world, mobile applications are written in Java and Kotlin language, exported as APK files (file has extension .apk). This .apk files then be signed with digital signature of its owner – who registered as developer on PlayStore with their legal information. This process is essential as it can tell who actually behind an application, and if we has evidence about any malicious activities, we know who to sue. The information of who develop certain application can be found at section “App Support” under its logo.

APK files can be installed directly to Android phone via user’s explicit grant. Users can tap to .apk files stored in their phone (inside Download folder, or Document folder for example), a popup will display asking installing permission. If user grant it, the .apk will be installed. This process usually is for developers to test applications before submitting to PlayStore. For regular users, this process is an absolute indicator for a malicious application. So if someone, for any reason, tell you to do these steps manually, don’t trust them and report them to police asap. Typical trick flow is like so:

1. You are on Social Network such as Facebook, seeing a post tell that install an application to get free 1000USD as a reward for its early users.
2. You click on download link, your phone download it into Download folder
3. You follow “installation guide” written next to download link, saying that you open Setting app, enable “installation app from unknown source”, then open Download folder, tap on APK file.
4. Your Android phone show a popup telling you that APK is from unknown source, but according to the guide, it tell you just press Accept.
5. Then the malicious APK is installed then it steal your data.

Similarly, on iPhone world, iOS applications are written in Swift and ObjectC language, and exported as .ipa file. IPA files can be installed via the App Store or through developer tools like Xcode. Usually, we can’t freely install IPA files unless the app is signed with a valid certificate or the iPhone is registered for development. But there is still a trick that hacker can trick users to install malicious IPA files: via TestFlight abusing. TestFlight is Apple’s official tool for distributing beta (testing) versions of iOS apps before they go public on the App Store. Developers use it to invite testers, collect feedback and fix bugs before release. TestFlight is legit—but it can be abused in social engineering attacks. Typical trick flow is like so:

1. Someone impersonates a bank employee, call you, tell exactly your name, your address, and saying “Your bank account is in legal risk due to a transfer from criminal gang” or “Police is screening your account because they think you laundry money”, with urgent, serious, and a bit threaten.
2. Then they sent you a link to install their internal iOS app to prove that you are innocent.
3. You tap on that link, iPhone redirect you to TestFlight app because it is TestFlight invitation link and your iPhone does not have TestFlight installed
4. Then you are told to tap on the link again, this time the fake application is installed to your iPhone, via TestFlight
5. The fake app looks the same to bank’s official application so you have no doubt
6. But the app then steal data from your iPhone, or trick you to fill username, password, even OTP and CVV number

2. Double check on app permissions

When users smart enough to not install app from untrusted source anymore, hackers may use level 2 of malice: Camouflage. Typical hacking plan is like so:

1. This time, hackers develop or purchase normal mobile application source code then publish via PlayStore and AppStore normally.
2. Because it is normal, PlayStore & Appstore accepts and make it available.
3. Then hacker send next updates for the normal application, with new features requiring some system permissions such as: read contact list, read call logs, read gallery, read GPS, etc…
4. Hackers advertises that app with awesome features that can make outstanding outcomes, right in need of some users.
5. Then with curiosity, users install the app, from PlayStore, or AppStore depends on their phone OS.
6. The app requires user to grant quite a lot permission but users usually don’t care and don’t understand so just accept it.
7. Then the app steal call logs, photos, location data, etc …, from the phone, thanks to user’s grant.

Both Android & iOS has default safeguard to protect user’s privacy. Every application, as default, can not access to sensitive data on smart phone. For example, if an application want to read some photos, developer – who is making that application – must register “Access Gallery” permission. Then whenever the application want to use this permission, the operating system (Android / iOS) will display a message asking users to grant that permission. When granted, application now can see photos in the phone. Similarly, other sensitive info such as call logs, GPS, and many more also requires user grant permission before the app can actually read data. To know an application want what permission, we can check right on PlayStore for Android app, and AppStore for iOS app.

How to check Permissions of Android application

Before installing:

1. Open the app page on the Google Play Store
2. Scroll down to “App info” → “Permissions”
3. Tap “See more” to view full details
4. Check what the app can access:
   • Location
   • Contacts
   • Storage
   • Microphone, etc.

After installing:

1. Go to Settings → Privacy → Permission Manager
2. Select a permission (e.g. Location)
3. See which apps are using it
4. You can:
   • Allow
   • Allow only while using
   • Deny

👉 Tip: Android also shows permissions during first use, so don’t just tap “Allow” automatically.

How to check Permissions of iOS application

Before installing:

1. Open the app page on the App Store
2. Scroll to “App Privacy” section
3. Review what data the app may collect:
   • Location
   • Contacts
   • Identifiers
   • Usage data
   • etc …

After installing:

1. Go to Settings → Privacy & Security
2. Tap a category (e.g. Location, Photos, Microphone)
3. Select the app
4. Choose access level:
   • Never
   • Ask Next Time
   • While Using
   • Always (for location)

Review these permission carefully. Anticipates which features need it. If there is too much permissions comparing to expected features, it is a red flag.

Here’s a practical mapping of common Android & iOS permissions you’ll see on the Google Play Store, AppStore and the features that legitimately use them. This helps you judge whether a request makes sense.

Android Permissions & Legit Features use them

Permission	Legit Features	Suspicious If …
Read Contact, Write Contact	Messaging apps (find friends) Contact backup/sync Invite friends feature	Suspicious if a simple game or flashlight asks for this
Read Call Log, Read Phone State	Caller ID / spam detection apps Dialer & call management	Suspicious if: unrelated apps request call history
Read SMS, Send SMS	Messaging apps OTP auto-fill	High Risk: can intercept verification codes Recommend: NEVER download
Access Fine Location, Access Coarse Location	Maps & navigation Ride-hailing / delivery Weather apps (local forecast)	Suspicious if: calculator or offline app asks for precise location
Read External Storage, Media Access	Upload photos (social media) File managers Image/video editing apps	Suspicious if: app doesn’t handle files but asks access
Record Audio	Voice messages / calls Recording apps Voice assistants	Suspicious if: no voice feature exists
Camera	Taking photos/videos QR/barcode scanning Video calls	Suspicious if: app has no visual capture feature
Notification access	Notification managers Smart reply apps	High risk: these app can read OTPs and messages, Recommend: NEVER download
Accessibility Service	Screen readers (for visually impaired) Automation tools	High Risk: these app can control screen, read inputs, commonly abused in scams Recommend: NEVER download

iOS Permissions & Legit Features use them

Permission	iOS Permission Name / Key	Common Legit Features	Suspicious If…
Contacts	Contacts (NSContactsUsageDescription)	Messaging, contact sync, invite friends	Game or simple app requests it
Location (GPS)	Location (NSLocationWhenInUse / Always)	Maps, ride-hailing, delivery, weather	App doesn’t need location
Photos / Media	Photos (NSPhotoLibraryUsageDescription)	Upload images, editing apps	App doesn’t use images/files
Camera	Camera (NSCameraUsageDescription)	Photos, video calls, QR scanning	No camera-related feature
Microphone	Microphone (NSMicrophoneUsageDescription)	Voice calls, recording, voice input	No audio-related feature
Bluetooth	Bluetooth (NSBluetoothAlwaysUsageDescription)	IoT devices, wearables, accessories	App has no hardware/device interaction
Notifications	Notifications (UNUserNotificationCenter)	Alerts, messages, reminders	Spammy or excessive notifications
Tracking	App Tracking Transparency (ATT)	Ads personalization, analytics	App unrelated to ads asks for tracking
Local Network	Local Network (NSLocalNetworkUsageDescription)	Smart home, device discovery	No local device interaction
Motion / Fitness	Motion (NSMotionUsageDescription)	Fitness apps, step tracking	App unrelated to activity tracking

Simple rule to evaluate permissions

When you are considering to install a new mobile application:

• Anticipate what functions that app may have,
• Check the Permissions that app requires
• Then ask yourself: “Does this feature really need this permission?”

If there are permissions that is not aligned with expected functions:

1. Then slow down, don’t rush to install for whatever reason.
2. Find alternative applications, compare Permissions among them.
3. If you not sure but want to check the app, use Emulators to test it first. Emulators is virtual smart phones and can be created via tools such as Genymotion, VirtualBox and a few others. Emulators is isolated environment and do not contain your data.
4. If you know any experts in cybersecurity field, ask them for advise.

3. Double check on app activities

Welcome to the level 3 of malice: Zero Day Exploitation

Thanks to strictly review process of AppStore and PlayStore, most of malicious mobile app is banned. But optimism is not a recommended character in cybersecurity field. Zero Day is vulnerabilities that is unknown by public, even among experts, and in fact, they are weaponized by many governments as a national strength.

Android & iOS itself is softwares. Softwares might have bugs and security holes. These vulnerabilities is actively hunted by experts in cybersecurity industry and sponsored by governments. Once a Zero Day is discovered, it becomes a secret weapon for cybercriminal groups to attack or infiltrate system on over the world. Mobile app is not immune. If there is some vulnerabilities in operating systems, here is Android or iOS, then it will be the target for level 3 of malice.

Although it is rare, but it still a case for us – regular users – to keep an eye on. After install an application from Google Play Store, or AppStore, pay attention on device performance:

• whether it get slower,
• or hotter,
• or get lagged
• or any abnormal behaviors.

Vulnerabilities has many forms, it is hard to explain on a single post here but many of its form create a lot workload on device, as a try to exploiting, so it may make the phone slower, hotter, or lagged.

Example: a well-known Spyware

One of the most well-known cases of this level 3 of malice involves commercial spyware: Pegasus, developed by NSO Group. This spyware has successfully stolen sensitive data on user’s phone often without any visible permission prompts. The trick flow is like so:

1. NSO Group Deliver Pegasus via app or link. Target users receives a message that trick them to install the app. The app looks absolutely normal since it require minimal permissions.
2. Once installed, Hidden zero-day exploit triggers. The app, or content inside it, exploits an unknown vulnerability in Android.
3. Privilege escalation: The exploit gains deeper system access than normal apps should have and bypasses Android’s sandbox protections.
4. Silent data access: then NSO Group can access Messages, Camera / microphone, Location without user’s awareness

This attacks are extremely expensive and used for targeted surveillance, not mass scams. Once the exploit method is discovered, it can be quickly patched by developers behind Android & iOS system. But the problem is it really hard to discover.

There isn’t just one single CVE for Pegasus. It has used multiple zero-day vulnerabilities over time, often chaining several together. Here are some of the most well-known ones:

Notable CVEs linked to Pegasus campaigns

1. FORCEDENTRY exploit chain (2021)

• CVE-2021-30860
• Affected: iOS (Apple devices)
• Type: CoreGraphics / PDF parsing vulnerability

What it did:

• Delivered via iMessage (no user interaction needed)
• Exploited how the system processed malicious image/PDF data
• Led to full device compromise

👉 This was one of the most advanced zero-click exploits ever discovered

2. WhatsApp exploit (2019)

• CVE-2019-3568
• Affected: WhatsApp on Android & iOS
• Type: buffer overflow in VoIP call handling

What it did:

• Attacker placed a WhatsApp call
• Even if you didn’t answer → exploit could trigger
• Installed spyware silently

3. Chrome sandbox escape (used in chains)

• CVE-2020-6418
• Affected: Google Chrome (Android)

What it did:

• Used as part of a chain to escape browser sandbox
• Combined with other bugs to gain deeper access

4. KISMET (suspected chain, 2020)

• No single confirmed CVE publicly disclosed
• Targeted iMessage (iOS 13)

What it did:

• Zero-click exploit (no interaction)
• Predecessor to FORCEDENTRY

To understand more about these CVE in the future, please subscribe so when the-tech-lead.com post any, you will be informed. Each of CVE deserves a long post itself.

---