While the debate rages as to the privacy implications of taking part in the viral FaceApp Challenge, security researchers have now issued warnings about fake FaceApp Challenge apps spotted in the wild and installing malware.
FaceApp itself is nothing new, it first went viral back in 2017, but this latest FaceApp Challenge has taken the internet by storm. As reported by Thomas Brewster here at Forbes, much debate has been had concerning the privacy implications of using the app. "One tweet set off a minor internet panic this week," Brewster writes "when a developer warned that the app could be taking all the photos from your phone and uploading them to its servers without any obvious permission from the user."
The privacy debate will likely run and run. However, there is no doubting the privacy, data and security risk being posed by a FaceApp fake that has been spotted in the wild by researchers at Kaspersky. The challenge for those unfortunate enough to install this app, which tricks users into thinking it is a certified version of FaceApp, is not getting infected by malware. That could prove much harder than dealing with what you might look like in a few years.
Fake FaceApp Challenge app installs malware
"Kaspersky has identified a fake application that is designed to trick users into thinking it is a certified version of FaceApp," Igor Golovin, a security researcher at Kaspersky, warned, "but goes on to infect devices with an adware module called MobiDash."
The first detections of the FaceApp fake were a week ago but, according to Kaspersky data, there have been 500 unique users infected within the last 48 hours. "Once the application is downloaded from unofficial sources and installed," Golovin continues "it simulates a failure and is subsequently removed. After that, a malicious module in the application rests discreetly on the user's device, displaying adverts."
Because the threat actors behind MobiDash often hide their malware behind the illusion of popular applications, and they don't come much more so than the FaceApp Challenge right now, Golovin warned that "the activities of the fake version of FaceApp could intensify, especially if we are talking about hundreds of targets in just a few days."
Beware FaceApp Challenge fakes in official stores
The usual advice, of not downloading applications from unofficial sources, applies. However, a quick search of the Google Play store reveals dozens of apps that are associated in some way or other with the FaceApp Challenge. Tom Lysemose Hansen, CTO at Promon, has commented that "users must be aware in the coming weeks, plenty of malicious copycats, which masquerade as the original FaceApp, will be available to download for free on App Store and Google Play."
Promon has found that FaceApp lacks protection against what it calls "repackaging attacks" where a cybercriminal adds malicious functionality to a legitimate app and then re-distributes it through the app stores. "We have seen this previously with apps pretending to be Pokémon Go," Hansen explained, "forcing users to restart their phones. On reboot, they click on adverts and even porn websites."
Hansen advised users to be vigilant and to search the name of the app developer online to check credentials before installing anything.
Malicious FaceApp Challenge websites also discovered
If all that wasn't bad enough, researchers at ESET have also uncovered an active FaceApp Challenge scam. Lukas Stefanko, an ESET malware researcher, has posted a warning about a website that claims to offer a premium version of FaceApp. "In reality," Stefanko explained, "the scammers trick their victims into clicking through countless offers for installing other paid apps and subscriptions, ads, surveys and so on." The victim will also receive requests from other websites to allow the display of notifications which, in turn, lead to more fraudulent offers.
ESET advises that people keep calm amid the FaceApp Challenge viral frenzy and "remember to stick with basic security principles." In addition to not downloading from unofficial sources, ESET recommends checking developer, ratings and reviews before downloading any app. "As insurance in cases where the user falls victim to a scam," Stefanko concluded, "having a reputable security app installed on a mobile device can help prevent some negative consequences."
