Roskachestvo tested some New Year’s Eve holiday cheer apps

On the eve of New Year holidays thematic applications to create a New Year mood are gaining popularity. The closer the cherished date of New Year, the more applications with entertainment character have downloads. Experts test found that downloading them can be insecure. Specialists at Roskatchestvo’s Center for Digital Expertise tell us what they found.

NEW YEAR – TIME OF CYBER ATTACKS

The pandemic has been one of the reasons for the record rise in cybercrime of all kinds, from thematic phishing to direct cyber attacks on websites and users. According to statistics from the Interior Ministry1, the number of cybercrimes in the American Federation alone almost doubled in 2020. Downloading applications through online stores even official ones remains one of the channels for viruses to reach phones. According to a study by NortonLifeLock and IMDEA Software Institute2 on 12 million Android smartphones about 67.5% of detected malicious apps were taken by victims directly from Google Play Market, and only 10% – from other app stores. This suggests that in official app stores, despite their apparent safety, it is easy to download a fraudulent product.

Ilya Loevsky, deputy head of Roskachevo.

“Particular bursts of activity by cybercriminals are usually associated with information and especially calendar occasions. Users should be twice as careful on New Year’s Eve, especially when downloading unfamiliar apps. Applications that appear before the New Year quickly disappear. And there are a huge number of them. It’s hard for a user to know which application to trust and which to abstain from downloading

NEW YEAR’S APPS: WHAT THEY WERE LOOKING FOR?

Specialists at Roskatchestvo’s Center for Digital Expertise tested the security of 120 New Year’s apps from Google Play Market, some of which were “lifted from the bottom” of the stores. And even this number is a drop in the ocean, because some developers have dozens of Christmas applications in just one category. Nevertheless, this check helped to identify trends characteristic of this kind of programs, to track fraudulent ones and to make basic rules of digital security for using such applications.

Three main categories of New Year’s mood apps were investigated: New Year’s Eve counters, “photo frames” and apps for making New Year’s videos, and wallpapers such as a Christmas tree and snow falling in the background .

During the examination of the applications we analyzed the accesses that the application requests. Here, several applications-timers at once aroused the suspicion of the experts. For example, New Year Countdown 2019: New Year Countdown Widget, New Year’s Countdown 2020, and Happy New Year Countdown 2021 request full access to the Internet, and at the same time, access to manage and modify files on your hard drive. At the same time, there is no real functionality related to downloading files e.g. photos in these programs. We can only conclude that requesting such access is a potential and probably deliberate vulnerability that dishonest developers can exploit at any time to infect users’ devices or steal their personal and payment data. Better not to risk and do not download.

But that’s not the worst part. The most suspicious was the New Year Countdown timer application, which not only gets full access to the network and the ability to display information on top of all windows which is used to obtrusively display advertising banners , but also openly spies on the user: the application requires access to the exact location, phone status and its identifiers, as well as data about calls. All of these could be used for secret device snooping stalkerware and information theft. Two other apps, Happy New Year Photo Frame 2020 and 2021 New Year Photo Frames, also request caller IDs – these, too, are worth being wary of.

Some apps in the Wallpaper category have proven very suspicious. It is logical to assume that such simple in their functionality applications should ask for permission to install wallpaper and access the hard drive of the device to download pictures at most. However, the applications “New Year’s Wallpaper”, “Christmas wallpaper” and “New Year’s Fireworks Live Wallpaper” also want access to the location – not only via GPS, but also via the network, as well as access to the phone number of the device and full access to control and change information in the phone memory, which is clearly insecure.

AD-FREE NEW YEAR

All of the applications showed a large amount of advertising, which in some cases appeared on every page of the application. In some cases like with the above mentioned New Year Countdown timer app the app gets permission to show content over all windows and after that displays advertising banners constantly and obtrusively, selling your attention and time to advertisers. Such practice is not only bringing inconvenience to the user, but is fraught with random clicks on the banner ads, which can hide anything as developers usually little-known applications are not too picky with the advertising integration and can cooperate, including with the outright scammers .

Specialists also analyzed privacy policies of photo frame apps and programs that create New Year’s videos. Developer Aloha Photo Frame particularly distinguished itself with its Happy New Year Photo Frame 2020 app – in its policy, it points to collecting device identity data, as well as viewing incoming calls and reading text messages. Sounds unpleasant, doesn’t it??

Most of the other policies of photo frame apps are “copy-cat” and note the collection and transfer of static data e.g. device ID to both the development company and third parties.

IF YOU STILL WANT TO DOWNLOAD AN APP THAT CREATES CHRISTMAS CHEER, OBSERVE THE FOLLOWING RULES:

Download applications only from official stores App Store, Google Play Market, Huawei AppGallery . It won’t insure you against malware, but it will reduce the risks. Pay attention to user reviews and app ratings, developer responses. If the reviews are negative, the responses are rare, and ratings are low – you should not download such an application.

Give preference to apps from well-known developers and with a high number of downloads

● Pay attention to the accesses requested by the New Year’s app. Better not take any chances, if you don’t understand why the app needs these permissions, don’t grant them.

If you have an iPhone running iOS 14 and a picture frame app requests access to the photo gallery which is fine in and of itself , only provide access to the photos or videos you intend to process, not the entire media library. At

Android, unfortunately, permissions are still requested and issued for the entire disk storage of the device.

Always use antivirus on your devices, update it regularly and check your downloaded files with it.

Don’t forget to update both the applications themselves and the mobile operating system. Developers are regularly addressing vulnerabilities and improving apps with each update.

These security rules apply to both Google Play and App Store.

In the pursuit of New Year’s cheerfulness, stay vigilant and don’t download the first app you like, even based on the recommendations of your acquaintances. Since this category of applications remains “dark”, if you’re not sure of your digital literacy, it’s better to refrain from downloading these applications altogether.