What’s the Fastest Way to 10 Million Malware Installations?

October 31, 2016
Duane Kuroda

If you asked me that question last month, I would said a cybercriminal needed to launch extensive email campaigns with tens of millions of messages each day and in a few months they might hit 10 million malware installations. It turns out that I was too conservative—people are more than willing to download and install malware themselves. All you need to do is tap into consumer demand and let human nature do the rest.

This month National Cyber Security Awareness Month has highlighted how cybersecurity is being built into advanced technology and the current opportunities for individuals to operate securely in our digital society. And for many Americans that includes their mobile devices. Our research into more than 25 million free/paid apps conclusively shows that cyber attackers are piggybacking on popular mobile apps to go after new targets with mobile malware.

Case in point: the Pokémon GO craze and its region-by-region rollout. The game publisher launched the wildly popular game in just a few regions through official app stores. Fans outside those regions could only wait in restless anticipation as they read accounts of the game’s popularity elsewhere. Worse yet, even users in the supported regions had trouble getting activated or suffered server lag as fans overloaded the game’s servers.

These issues resulted in significant demand for the free Pokémon GO app. Cyber criminals noticed. They promptly created malware-laden versions of the game; let them loose on the internet and rogue app stores, and let Google and hungry users do the rest.

Caption: Nearly 3 million results related to Pokémon GO APK (download file) appear online, the top 3 results detail how to sideload the app outside official app stores

Proofpoint Mobile Defense discovered the Pokémon GO malware apps soon after introduction. But human nature being what it is, people ignored the warnings and downloaded the malware more than 10 million times. That’s more than 10 million downloads of an app that comes with a free side of malware— droidjack, in this case. Human nature trumped warnings all over the press, warnings from the device manufacturers, and even their own common sense. People willingly and freely downloaded and clicked “accept” and infected themselves.

Cyber criminals have also exploited the broader Pokémon GO ecosystem, where players download player guides, power ups, and more to have an advantage in the game. The fact remains that humans are exploitable and are often a weak link when it comes to cybersecurity.

For National Cybersecurity Awareness Month, our advice is to remain vigilant regarding mobile app security. Consumers can click here for seven ways users can determine if an app is malicious. For organizations, if you can’t be sure your employees will be cautious, consider using solutions such as Proofpoint Mobile Defense to identify and stop cyber criminals from accessing your personal and corporate assets.