Android App Analysis Uncovers Seasonal Shopping Risk

Researchers scanned 4,200 Android apps and found many exhibit malicious behavior or have a dangerous level of permissions.

Be careful what you download: A recent analysis of 4,200 Android applications reveals how attackers leverage mobile apps to defraud users, especially during the holiday shopping season.
Barracuda Networks researchers analyzed more than 4,200 holiday-related Android apps, such as shopping apps, themed games, and Santa video chats. Seven exhibited malicious behavior, such as replacing the app with a version downloaded from the Internet via a C2 server. Thirty-five contained adware, while 165 had excessive or dangerous combination of permissions.
Senior security researcher Jonathan Tanner says he was surprised by the nature of some holiday apps. When searching for Black Friday and Cyber Monday apps, researchers saw many described as aggregate shopping apps where users can browse a variety of retail websites.
I would presume that for some of these sites … the app would require you to enter your account credentials for the specific site, so users would be offering all of their various shopping credentials to a single app that undoubtedly has far less security around protecting this data than the actual shopping sites, says Tanner of the potential risk. Even if the apps are safe from a malware perspective, there is a risk of credentials leaking from a number of sites in one app.
Many of the apps laced with adware seemed to be related to DIY gift projects, which Tanner notes is surprising given the range of apps downloaded. On the surface, many – like those advertising coupons and deals – seem more likely to leverage suspicious ad networks.
Tanner warned of apps requesting more permissions than they need, a risk that merits close attention from users. At least half of the apps that required dangerous permissions asked for access to the phone, camera, microphone, location, and text messages. The only apps that should access the phone or texts are apps that specifically work with these features, such as robocalling, he notes. The camera and microphone have more legitimate use cases, but based on the types of apps researchers scanned, very few should have needed either, he points out.
There isnt a direct line between benign permissions and dangerous ones as they are dependent on what the app is supposed to do compared to how much risk they introduce, Tanner says. A shopping app designed to scan barcodes will need access to the camera, for example, so granting permission is appropriate but not guaranteed to be safe. A quarter of apps analyzed could read contacts, which is suspicious if it doesnt support collaboration or sharing.
The mobile-first market is growing rapidly, and the majority of users still havent made the connection that theyre carrying a computer in their pocket – one which has the same risks as any computer, Tanner says. Raising awareness that the same precautions are necessary is key.
The main behavior attackers take advantage of during the holidays is users letting their guards down, he says. Users looking for holiday sales in their email may not think twice when a deal seems too good to be true or let their guard down when scrutinizing mobile apps they install. In stores, many dont consider point-of-sale devices they share their credit cards with.
Mobile phone owners should be careful to check the reputation of every app they download,
researchers advise
: Look for user reviews, be aware of permissions granted, and consider whether theyre necessary. A shopping or gifting app shouldnt require the ability to write text messages, for example.
Users should also enable parental controls to prevent app installs by children, be careful to check the senders of suspicious messages before clicking them, and shop directly from retail websites rather than using aggregate shopping apps.
Related Content:
Cyberattacks on Retailers Could Increase 20% this Holiday Season
Whats in a Botnet? Researchers Spy on Geost Operators
StrandHogg Vulnerability Affects All Versions of Android
7 Ways to Hang Up on Voice Fraud
New Free Emulator Challenges Apples Control of iOS
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
The Next Security Silicon Valley: Coming to a City Near You?

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Android App Analysis Uncovers Seasonal Shopping Risk