'Malicious files can silently sit in your phone and relay data to hackers without your knowledge.'
'They can also be apps that capture all your keystrokes.''So, when you log into your bank app and enter the password, the app records it and send it to the hacker.'
Experts tell Tinesh Bhasin the pitfalls of having technology at your finger tips.
Illustration: Uttam Ghosh/Rediff.com
With digitisation becoming the buzzword in financial transactions, individuals need to be more careful while dealing with apps.
Recently, audit and consultancy firm PwC India, while assisting the Unique Identification Authority of India with security, came across unauthorised Aadhaar apps that seek user sensitive information which can be misused.
There are many unauthorised apps of Employee Provident Fund Organisation and Unified Payment Interface that pose serious threat to your finances because they can sell your details to hackers or even worse, can use the information to swindle you.
"An individual needs to guard even basic information such as date of birth in the digital world. As most companies put the required security infrastructure in place, hackers target individuals and trick them into revealing information," says Sivarama Krishnan, partner and leader-cybersecurity, PwC India.
The Unique Identification Authority of India has employed PwC to carry out reviews and audits of Aadhaar's infrastructure for any security hazard.
If a person searches for Aadhaar in the Google Play Store, he can find many apps that offer linking of Aadhaar to various services, including his mobile number which until recently required a visit at a retailer or a company store.
And it is really difficult to differentiate between an unauthorised and an authorised app.
"As the penetration of mobile and the Internet grows so does the cybercrime threat. Hackers and scammers are always one step ahead of security agencies," says Mukul Shrivastava, partner, fraud investigation and dispute services at EY India.
Unofficial channels have the highest risk
The chances of a malicious app getting into in an individual's phone is higher if s/he downloads pirated songs, movies or games from the Internet.
Usually, many customers take this route as they don't want to pay money by downloading such files through the official channels. But you never know what the files may contain.
It may appear to be the intended song or movie or app but a malicious code could be packed along with it.
Such malicious files can silently sit in your phone and relay data to hackers without your knowledge. They can also be apps that capture all your keystrokes.
So, when you are logging into your bank app and enter the password, the app will record it and send it to the hacker.
A person must, therefore, avoid downloading files from unofficial channels.
When an individual visits such sites, many times, they are tricked or forced to click a link to start the download.
Close the Web site if a new window pops up or the link takes you to another page. Best is to opt for paid services instead of looking for a pirated alternative.
Even official channels aren't risk free
There have been cases of malicious apps found in official stores of Google as well as Apple.
"Both the companies periodically upgrade the developer policies and app store guidelines to ensure that things are control. But malicious software can still find its way on these. The instances can be slightly higher in case of Google Play Store than Apple as the Android operating system is more open," says Srinivas Nidugondi, senior VP and head of mobile financial solutions, Mahindra Comviva.
Malicious apps may not necessarily contain codes that would harm the phone. They can also take input from users, like unofficial financial apps, and relay it to the publisher of the software.
Last month Google pulled down UC Browser, the Alibaba Group-owned mobile web browser, from its Play Store saying it violates the Play Store policies.
Recently, Indian intelligence agencies said that over 40 popular Chinese apps, including UC Browser, have the potential to carry out a cyber-attack against the country.
Precautions to keep you safe
When downloading an app, look at the publisher. Many times, an unofficial app's interface may be designed to look just like the official one.
An individual must, therefore, check who does the app belongs to. The name of the publisher, link to its Web site and the email address are available in the official stores.
Download only if the app belongs to the official service provider. Also, read the reviews of the apps and see if users are mentioning any particular issue with it.
It's not just unofficial websites that can install harmful software in your phone. Even clicking on a link sent to you on messenger, social networks or email can trigger a download of a file.
Nidugondi says sometimes malicious apps are bundled with photos or GIFs and one must, therefore, avoid downloading these from unknown senders.
As companies release newer operating systems, they stop supporting the old ones.
An individual must, therefore, change phones at least after three years, once the manufacturer stops sending the updates.
"All apps and software have vulnerabilities. Companies, therefore, keep updating them regularly. It's in the users' best interest that they have the latest apps and operating systems. Be as close as possible to newer technologies," says Shrivastava of EY.
While there's little you can do if your official apps have securities vulnerabilities, it would be beneficial if you avoid downloading the first version of the apps from your service provider.
Last but not the least, go for updated editions. In March this year, Bank of Maharashtra lost Rs 25 crore (Rs 250 million) as frauds exploited a bug in its UPI application and core banking software.
When installing an app, look at all the access you are giving it. It would ask for permissions to various phone's functions during installation.
Avoid installing apps that ask for unnecessary permissions.
For example, many apps that convert your phone flash to a flashlight, seek permission to access your camera, contacts, location, and so on.
Avoid such apps that ask for access to a phone's functions which is of no use to it.
