A cybersecurity expert is warning smartphone users to be cautious of downloading fake apps that can potentially give hackers unfettered access to the personal information on your phone.
In September, hackers introduced dozens of malicious apps onto the Google Play store, also known as “doppelgangers” because these fake apps imitated some commonly used real apps. Unsuspecting Android users downloaded the bad apps a total of 4.2 million times, according to Google Play.
ABC News’ Gio Benitez and cybersecurity expert James Lyne set up a demonstration at a coffee shop in Washington, D.C. to show how vulnerable people may be when downloading fake apps. Lyne explained that apps are especially malicious because users “don’t realize that it’s a fake.”
Benitez explained that apps are especially malicious because users “don’t realize that it’s a fake.”
Lyne, who works at the global security firm Sophos, added that many of the bad apps may still seem to work, meaning users may not even be aware that their phone’s security has been compromised.
“If you download a nasty version of Minecraft, for example, you actually seem to get Minecraft,” Lyne said. “And it seems to work, but in the background, the attackers are able to access your information.”
During the demo, Lyne gave Android phones to five volunteers and asked them to use the phones as they normally would.
Unbeknownst to the participants, Lyne had already installed a malicious app, called “Lovely Wallpaper,” on their phones. Through the app, Lyne was able to easily hack into the participants’ phones without them even knowing.
“We could retrieve their text messages,” Lyne said, as he and Benitez remotely viewed some text conversations taking place during the demo.
Lyne added that he was also able to gain access to the phones’ cameras.
“He’s going to have no idea that the camera just activated,” Lyne said during the demo. “There’s a photo of one of our users.”
During the demo, all of the volunteers signed into at least one of their social media accounts on the phones.
Lyne was then able to gain access to all of their passwords.
When Lyne and Benitez revealed that they had been able to read the group’s text messages, steal passwords and even take a photo, the participants were shocked.
“Did you take that of me while I was on my phone?” one volunteer, Jeremy Pinson, asked. “That’s terrifying.”
When one volunteer walked around outside of the coffee shop, Lyne was even able to track his location using his phone.
“I am tracking him now,” Lyne said. “I can see exactly where he is.”
Lyne said that he could even remotely control the text messages sent from one of the phones that he hacked through the app and added that someone does not even have to be using the phone when it is hacked.
“Even when you weren’t using the phone, we still got a picture of you,” Benitez told one volunteer. “The phone was just sitting there on the table looking right up at you.”
Lyne added that through malicious apps your security may be compromised without you even knowing.
“Once a cybercriminal is into your phone, they can access your usernames and passwords and credit cards,” ,” Lyne said, adding that a criminal could even “be able to profit from your device without you knowing.”
A Google spokesperson told ABC News in a statement that they have been tracking the malware, known as ExpensiveWall, that was used in “Lovely Wallpaper” and other apps.
“We have been closely tracking this malware family for months, and continue to take actions, such as removing apps from Play, when we detect its variants,” the spokesperson said. “We are constantly updating Google Play Protect — our safeguard for all Android devices with Google Play — to detect malware like ExpensiveWall and secure our users.”
To protect yourself from hackers, Lyne said that a password for your phone is not enough once the hacker has gained access through a malicious app.
Lyne said to only download apps from trusted developers, and if you believe you have downloaded a malicious app to delete the app, restore your phone to its factory settings and then change all of your passwords.