In the United States, the deadline for self-assessment tax returns is fast approaching, and self-employed individuals will be looking to take advantage of the many tax preparation apps on the market to make the process of tax filing as simple as possible. It should be noted that attacks on taxpayers are a real and widespread problem of tax-related cybercrime.
Cyber scams tend to be closely tied to current events, ensuring they are timely and far-reaching. Apps tend to have a reputation for being very popular. It is nearly always the case that there will be malicious individuals looking to take advantage of its popularity by stealing from unsuspecting users.
End-user education has improved significantly. Users are also becoming aware of the risks. It’s impossible for the general public to be aware of every potential threat. Some users might be more careful when it comes to suspicious hyperlinks, emails, or websites, but they tend to relax their guard when it comes to applications that may be malicious.
These programs masquerade as legitimate apps, but they are designed to steal a user’s personal information in order to facilitate identity theft and money transfer fraud. Many of these fake apps are published on third-party app stores, outside those natively available from the device manufacturer (for example, the Google Play Store for Android or the App Store for iOS). Occasionally, some do make it to these first-party app stores as well.
Playing the stealth game.
When it comes to fake tax applications, for example, the primary technique employed by scammers is sleight of hand. Often, bad actors will reverse engineer legitimate apps, add malicious code to them, and then upload the package to the app store itself. If the attackers or attack groups are good, the app will appear to be the real deal and function in the same way, but it will also function under the radar as a malware launch pad from which to launch broader malware attacks on a phone or computer.
In these fake tax apps, threat actors often use the same official APIs that legitimate tax filing apps use. Partly, this is to make their apps last as long as possible in whichever app store they are in. The malicious apps may help users file their tax returns using APIs and copy sensitive information to criminal databases through privilege escalation mechanisms. Using what appears to be a legitimate app, bad actors could, for instance, process a payment request with the payee details of a criminal organization or threat actor instead of the intended recipient (in this case, the tax authorities).
The malicious activity could also be performed by requesting access to the camera roll and scanning images for documents that contain personally identifiable information (PII), such as a passport or driving license, which can be used to facilitate identity theft. Many of these apps may also log keystrokes: they may request the installation of a custom keyboard that looks just like the system keyboard so that they can harvest private messages, passwords, and even credit card information entered into other apps.
Several vulnerabilities have been discovered in the Android and Apple operating systems in the last five years, which threat actors have exploited to steal information via fake apps. During 2019 and 2020, two major Android flaws – Strandhogg and Strandhogg 2.0 – allowed, among other things, fake apps to masquerade as legitimate ones, which meant attackers could gain access to people’s private information, such as bank accounts, cameras, photos, and messages. A privilege escalation vulnerability is a classic example of how bad actors can use malware to imitate legitimate apps and steal sensitive data.
Attenuating risk
Although Apple and Google need to do a better job of maintaining their respective app stores, users also need to take an active role in reducing the risk associated with their usage. For example, anyone using an app to assist in the tax filing should be careful. Despite the fact that some apps have slipped through Apple’s or Google’s safety net in the past, as a rule, you should download your app directly from Apple or Google’s app store rather than from a third-party store.
Additionally, legitimate app publishers could do more to ensure that their apps are not reverse engineered in any way, tampered with in any way, or republished by criminals. Any app that takes payments at all should have its own integrity controls that ensure the data is protected from tampering. Due to the increased use of in-app protection tools, developers can now mitigate the devastating consequences that cyber attacks on these apps can have by using these tools.
It is always advisable to download apps only from reputable developers and remain cautious in any event. The phrase “trust your gut” comes to mind. Suppose an application asks for more permissions than it actually needs, such as access to the camera, audio recording, keyboard installation, or the ability to download data and change settings. In that case, this should raise red flags, especially if the extra permissions have nothing to do with its perceived functionality.
Furthermore, real apps (or at least the good ones) will offer security features such as multi-factor authentication and/or biometric authentication, if applicable. Tax-related apps should be used cautiously by anyone looking to reduce their tax burden. The good news is that there are plenty of legitimate apps you can use, and the consequences of accidentally using a fake one could be far worse than not being able to file your taxes on time.
