Scammers are spreading fake Jio apps to generate advertising revenue

Ad scammers are impersonating the Indian mobile network operator Jio, which has roughly 314 million subscribers, to trick Android users into downloading apps that are nothing more than malicious software, according to research published this week.

Researchers from Symantec discovered 152 Android apps that promise to provide downloaders with free data boosts, but in fact flood device screens with advertisements in order to make a buck, the security vendor said in a blog post Wednesday. The programs appear with names like My Jio 4G and My Jio Offers, or other variations on the legitimate MyJio app. The malicious apps have been downloaded more than 39,000 times since January.

The discovery reaffirms how insecure Android apps can leverage users’ phones in ways they never intended. The issue is especially pervasive in developing countries like India, where analysts have predicted that 829 million people will connect to the internet via smartphone by 2022. Many of those people will be on Android devices, where malicious apps have a long history of slipping past security defenses.

“These 152 [apps] were developed under 21 different package names, all of which claim to offer a free daily data allowance of 25GB or 125GB for a period of time ranging from just one day to one year,” the Symantec researchers explained. “However, users who download these malicious apps will not receive any free data boosts; instead their devices will be used to generate advertising revenue for the developers of the apps.”

Users tricked into downloading the apps will be asked to enter their phone number. Then the app shows a dummy loading spinner meant to fool the victim into believing something is happening, even though Symantec’s analysis found no outgoing connections are underway. At one point, depending on the app, it either asks the user to send a link to the program to their contacts, so they can enjoy the same “perks,” or does that without their permission.

Eventually, with some versions of the fake Jio apps, the program calls up as many as 16 ads at once. On another, users are thrown into an endless loop of advertisements.

Findings like this help explain why mobile fraud via rogue applications skyrocketed by more than 300 percent in the first few months of 2019. The idea is simple: As more users access the internet through a mobile device, scammers are following them.

But the techniques are evolving faster than victims can come to grips with the shift. Fraud incidents numbered 41,313 in the first quarter of this year, up from 10,390 events in the fourth quarter of 2018. Twenty-nine percent of that was phishing, while trojan horses caused 12 percent and brand abuse was responsible for 9 percent. Phishing attacks, the traditional hacking technique, is the slowest to grow.