Intro

While I was working at a health tech start-up, I had an unusual dialogue with our mobile apps support manager.

Support: Why are we randomly showing users an advertisement?

Me: Sorry? We don’t show anything like that.

Support: A user who installed the app a few days ago said they saw an advertisement.

Me: That’s strange. Can you ask which version they’re using and where they downloaded it? Is it from the official store?

This chat worried me. I explained the situation to the manager and asked for some time for investigation. Later, I received message: “The user said that app was installed from a store and app has our app id”. There was a short video showing how a user was opening our app with our splash screen, followed by an advertisement for some game…8 seconds at all.

Demystifying the Problem

The problem had transformed into a kind of mystery. The fact that the user installed the app from the store and got an advertisement bothered us. I can’t remember who exactly proposed the idea, but someone reminded us about an alternative store. We checked one. We checked another one. And we got an answer from the user, saying he downloaded the app from a third one.

Someone had copied our Play Store page. All setups were made with fake accounts and emails that were difficult to trace. When I began reverse engineering it, I discovered it was a web-view wrapper. The fake app worked on our adaptive website, copied our splash screen and app ID.

So, I had spent time researching our internals and dependencies and checking forums. Which was somewhat useless. Or not. At least we confirmed that our original app was functioning correctly.

If I had clarified which “store,” we could have saved a lot of time and effort.

Asking the right question at the right time is an amazing skill.

We knew the problem. What’s next?

We contacted the app store, I found an advertisement provider, and we contacted them too. But the problem was that we didn’t get any answers for a long period of time. And when we did, it was “Sorry, but we don’t see any problem from our side. If you disagree, you should go to court.” So you have variants:

  • Hire a really good lawyer and make actions - costs are high, require a lot of time
  • Try to reach an agreement with the alt store account holder… But from my point of view, that’s not the best way.
  • do nothing with clone and notify users about right place to load and install your app

If possible, review your user agreement and highlight official distribution channels for your apps. However, it’s better to consult with a lawyer because this area is regulated differently in various countries.

Please note that this information is not legal advice, and the actual legal implications can vary depending on jurisdiction and specific circumstances.

App store regulations are complex and relatively new in terms of law. And it’s not always clear, even when you work with Google Play. In the case of a less popular app store, it will be even more complicated. There are also many different jurisdictions to consider as well.

We got frauded then in pretty simple way, there were much more complex way of attack and there relatively fresh with some statistics post by The Cyber Express.

Is that all we can do?

There are a few ideas:

  1. Reserve your app ID in alt stores, so no one can upload a fraudulent app there with the same ID, and it helps to guide your users. You never know how your business might grow or which app stores might become prominent. This is especially important now, given the various sanctions, bans, and other restrictions in place.
  2. Monitoring. At least it helps you react as soon as you find out about a problem and minimize potential damage. A kind of script that checks different stores for your app ID, or parses the HTML page with search results; it can be run on CI/CD and notify you. Or maybe some kind of security service would be a great idea.
  3. In that case, if some one distribute (idk why) same app in different way you can use Google play integrity API and it can help you in some cases. Especially if you work on only Google play.

If you know of an alternative solution or have had a similar experience, please let me know.