Staying safe in the wild world of third-party app stores

Pokémon Go was the smash hit of the summer, with more than 500 million players using their smartphones to chase Pokémon across seemingly every town in America big enough to have a PokéStop. While the game grabbed headlines and generated big money for its developers, cybercriminals quickly realized that they had a hit on their hands, too.

Within hours of the popular mobile game's release in summer 2016, security researchers found that hackers had posted malware-laden versions of the game on third-party app stores. Such hacked versions of the game allowed attackers to access contacts, make phone calls, record video and audio, and send and view SMS messages on infected devices.

With this kind of access, cyber criminals are able to engage in a wide range of frightening fraudulent behavior. One popular way for crooks to make money from mobile malware is to use compromised devices to rack up fees by sending text messages to premium SMS services and placing calls to 1-900 numbers also controlled by the scammers. This can quickly result in hundreds of dollars in charges being added to consumers' bills.

The malware knock-offs of Pokémon isn't an isolated example. Researchers at security firm ProofPoint analyzed thousands of apps associated with the Rio 2016 Olympics and found more than 4,500 apps that contained malware or other risky code. One such app claimed to offer fans updates about the games, but instead took over social media accounts and surreptitiously sent data to third-party ad networks.

A common factor in many of these mobile malware infections are apps that come from poorly policed third-party app stores. Smartphone owners are likely familiar with major stores like the Apple App Store, Google Play, and the Windows Phone Store. Through these digital distribution platforms, consumers have access to millions of games, movies, music, and other content. Unsurprisingly, consumers are huge users of these stores. Since 2008, consumers have downloaded 130 billion apps from the Apple App Store and 65 billion apps from Google Play.

While the majority of American consumers rely exclusively on the biggest, mainstream stores, there are dozens of others available that try to attract consumers with incentives like free or discounted premium apps, expert recommendations, or country-specific content. Device manufacturers and wireless carriers also offer their own branded stores. And unfortunately, there are numerous shady third-party stores that offer pirated or otherwise unauthorized content. Third-party app stores are especially popular outside of the United States in countries like Russia and China.

While many of these third-party stores are safe for consumers to use and fuel competition that provides consumers with more choices in apps, there is wide variation in how vigorously their operators police the safety and security of the software allowed on their platforms. Because some third-party stores have looser restrictions on what apps can be provided, these stores have become a significant source of mobile malware infections, which increased by 96 percent year-over-year in the first six months of 2016.

Earlier this year, the Federal Trade Commission and Federal Communications Commission opened an investigation into the role that manufacturers and wireless carriers play in keeping our smartphones and other devices safe and secure. The FTC will also host a day-long conference on identity theft this spring. However, the security of the app stores remains an area where more can be done by regulators to protect consumers. For now, given the growing mobile malware threat, there are a few steps consumers can take. First, consumers should make sure their phone operating software is up to date and they are receiving security updates. Second, consumers would be wise to install security software on their devices that can detect and block mobile malware (search "security apps") in the app stores. Third, most consumers should be safe if they stick to app stores that they know and trust and exercise caution when using third-party app stores.