Real-money gaming apps – are brands gambling with more than they thought?
By Ben Harknett, VP EMEA, RiskIQ
The mobile gambling industry is booming and so are the cybersecurity risks its consumers face. The annual expenditure on mobile gambling is expected to reach $62 billion globally by 2018 and with people now spending more time using mobile apps than browsers it’s become the most popular platform for real-money gaming. Yet alongside this growing consumer base also comes an insidious and incisive wave of criminality, ready to capitalise on weak-links within the industry.
Earlier this year at RiskIQ we conducted research into the mobile app ecosystem across five sectors in the UK. The research revealed that the UK gambling industry has the most widespread and endemic problem of modified/copycat apps, instances of malware and redirects to known bad sites of all sectors researched.
The potential impact for consumers ranges from a poor quality brand experience through to malware infection and data theft. Each eventuality for the consumer also reflects badly on the business, posing a threat to brand name and revenue, as despite a lack of malicious intent by the organisation, the association alone is highly damaging.
Deception
Criminals are using various techniques in order to trick consumers into believing that they are using a legitimate application. Brand impersonation in the app and on the store, placement in stores which are unlikely to contain the legitimate app and search engine manipulation strategies which place the illegitimate app near the top of the results list are all methods of stealing traffic away from legitimate brands. Modified or “wrapped” apps may provide such a genuine user experience where the consumer may be unaware of the added malware.
Our research revealed that the top UK real-money gaming firms had an average of 2,300 blacklisted applications each, with one organisation having 10,303 blacklisted associated with its brand alone. Blacklisting occurs when an app fails a virus scan by one or more of the major virus vendors or if it links to a URL or IP address that is a known source of malware. These blacklisted apps are capable of treating devices as a form of revenue generation using click fraud through to monitoring users movement via accessing geo-location services and replicating data.
We also found instances of affiliate fraud, where a blacklisted app loaded the legitimate mobile web site with an affiliate cookie, allowing the perpetrator to receive a percentage of revenue for that account.
Distribution
This malicious mobile epidemic is more prevalent than other industries in part because real-money gaming apps face restrictions that other categories of mobile apps are not bound by. They are not permitted on the Google Play app store and can only be found on Apple iTunes stores in regions where on-line gaming is permitted, such as the UK. Distribution limitations also extend to third party stores as many ban real-money gaming apps; Amazon being one such notable store.
Consequently a market of specialist real-money gaming app stores has emerged alongside a variety of secondary app stores, some above board and others a hotbed for illegitimate applications embedded with malware. Capitalising on this distribution ecosystem, the criminal element has been quick to seize upon the opportunity to siphon off consumers as they search for new games.
In our research we also found that on average there are 12,000 instances of applications referencing a single brand across the mobile ecosystem for each gambling company researched. These apps were spread across an average of 54 of the top 150 app stores we regularly track. Apps for one organisation in particular were found in 86 different app stores.
Consequences
Mobile gambling organisations need to be more aware of how their brand name is being marred by malicious applications and about how they can protect themselves and their customers. Consumers will hold the brand accountable regardless of the brand’s level of direct responsibility in any matter of malicious activity and any negative effect upon the consumer is damaging to the brand. A thorough and frequent monitoring of the app store ecosystem is requisite in protecting both brand and a loyal and growing customer base.