Safeguarding The Unsuspecting User: App Stores Taken Over By Fraudulent Apps

Safeguarding The Unsuspecting User: App Stores Taken Over By Fraudulent Apps

Authors: Rohit Kumar & Shivani Gupta
Published: August 20, 2021 in the Business World

The Delhi Police recently busted a nationwide syndicate that used fraudulent apps to cheat over 5 lakh Indians of Rs. 150 crore. Some estimates suggest that this amount was upwards of Rs. 300 crore. As the story unfolded across the country, it was found that one of the apps involved in this scam was trending at #4 on the Play Store. It is surprising how such an app managed to trend on the Play Store, let alone get through the vetting process.

Instances of online fraud have rapidly increased over the last couple of years in India as more users have started using web-based services. Many fraudulent apps lure users by offering benefits in the form of some reward or payout. In the Delhi police case, for instance, users were promised an opportunity to double their invested amount within 4-5 weeks. There are also many known cases of fake predatory dating apps that use misleading advertisements, impersonation and chatbots to entice customers to purchase subscriptions. Investigations by journalists suggest that often app-makers manage reviewers to increase their app ratings and improve visibility on app stores.

Not surprisingly, this menace is not specific to India alone, or to only one kind of app store. According to an analysis by the Washington Post, of the 1,000 highest-grossing apps on the Apple App Store, nearly 2% are scams. In fact, app developers in the US have been fighting a public battle against the tech giant for allowing applications that clone popular apps. In the Indian context of course, Apple’s market share in terms of app downloads is small. It is the Google Play Store that accounts for 90% of all app downloads on Android smartphones that dominate the Indian market.

Google’s policy explicitly states that it does not ‘allow apps or app content that undermine user trust in the Google Play ecosystem.’ This includes apps that reflect ‘a pattern of harmful behavior or high risk of abuse’. The policy recognizes that one of the best ways to protect users from bad apps is to keep those apps out of the Play Store in the first place. In fact, there are several checks carried out by the Play Store before listing an app. These include (but are not limited to) checking the app’s privacy policy (to protect user information), content rating and ads for age appropriateness. Despite their thoroughness, however, these checks still do not succeed in keeping all fraudulent apps off the Play Store. At the listing stage, the Play Store review team has little visibility into how an app is going to be used. Users are yet to be onboarded and there is no way to check if an app is going to use bots, onboard paid-pretend users or encourage fraudulent activities in the future.

Google also announced an App Defense Alliance in 2019 to quickly find Potentially Harmful Applications (PHAs) before they go live on the Play Store and take appropriate action for user protection. The Alliance is a collaboration between Google and other technology partners in the business of mobile device protection who use automated scanning and secure communication to alert each other about PHAs. The success metrics of this alliance have not been officially reported yet, but Google’s Transparency Report shows that the percentage of PHA installs has come down in the time since the alliance has been in operation. But while this initiative is effective in some way, it is still unable to identify and remove apps that use impersonation, make false promises or employ fabricated reviews to get attention. At this time, the App Defense Alliance only targets apps that are potential malware i.e. code that could put a user or a device at risk.

The presence of fraudulent apps on app stores poses a grave threat to the burgeoning smartphone user community, especially in India where understanding of digital safety is still relatively limited. But removing such apps is not an easy problem to solve. When India blocked numerous Chinese apps over military confrontations along the international border in 2020, many apps that ended up getting banned were harmful fraudulent apps. However, a quick search on the Play Store reveals that several of these apps managed to find their way back in new avatars. Low entry costs and difficulty in scanning the vast online space with millions of apps in each app store make it easy for such apps to resurface. In most cases, it is also difficult to hold app-makers accountable because they are not based in India.

Given the complexity of keeping fraudulent apps off the internet, there are two potential ways in which the problem can be addressed: first, by strengthening due diligence by app distributors i.e. the app stores and second, by building consumer awareness. While app stores do undertake checks prior to and post listing of apps, there is a case for all app stores to significantly ramp up their monitoring and grievance redressal mechanisms. The need of the hour is proactive detection and quick removal of bad actors to protect users. Apple, through its recently updated App Store review guidelines, plans to leverage its watchful developer community to support this task. Developers can now directly report possible guideline violations and trust/ safety issues that they detect in other apps. The second important way of addressing the challenge may be consumer awareness. While it is time-consuming and difficult to build awareness, ultimately if the consumer is equipped to identify fraud, they are likely to be better placed to safeguard their own interests. This shall overtime also serve to weaken, if not eliminate, the operations of fraudulent apps.

As the number of internet users continue to grow in India and more of our services shift to the digital sphere, it is critical for us to create a safe and enabling digital ecosystem. In the absence of an active policy to mitigate the risk posed by fraudulent apps, online harms await the unsuspecting user.