The practice of sideloading apps has become an overwhelming trend in the mobile device arena. Android users, in particular, are consistently using third party app stores and websites to download the latest apps to their devices, free of charge.

What they perhaps aren’t aware of are the risks they open themselves up to each time they sideload an application. Because there’s no security standard nor strict quality requirements regulating the availability of these apps to the public, they have become the perfect entry point for hackers to transport vicious malware straight to your mobile device.
The resulting outbreaks are often far-reaching and irreversible. Malware has become more than just a threat to the mobile device itself. It is now a common vehicle used to steal personal information, location and even bank credentials. This can mean huge costs for both individuals and businesses.

What is ‘sideloading apps’?

A sideloaded app is defined as an app whose installer is unknown, meaning the app was not installed from an official app store nor through an MDM. Most often, they take the form of application packages installed on Android devices using the USB interface, or IPA files on iOS leveraging a jailbroken device.
These packages are downloaded from third-party websites such as Amazon, Getjar, Mobogenie, Slideme and Appbrain, usually through a computer. Many of these sites provide access to apps not available through traditional stores. The problem is, some of these apps are exceptionally vulnerable to malware infiltration.

Why is sideloading apps dangerous?

Sideloading apps is not a dangerous practice in itself. The vulnerability for users and businesses arises because these applications are not installed through official channels. This means they can more easily become entry points for malicious malware.
When going through the process of making an application available on one of the traditional app stores, such as Apple’s ‘App Store’ or ‘Google Play’, developers must meet rigorous security standards and adhere to certain quality metrics. In fact, in 2012, over 30% of all application submissions made to Apple were rejected.
Conversely, third-party app stores tend to set their acceptance bars lower and make it easier for users to gain access to apps that may have security deficits. Hackers are hyper-aware of this and can easily implement malicious code within the format of an application.


Android vs. iOS

When software is sideloaded, it means that device security settings are circumvented, giving the app direct access to all data on the device. Android’s open operating system, unfortunately, makes this an easier feat than that of iOS.
Android enables access to device level configuration, allowing users to turn off security settings and download apps straight to the device. In the case of iOS, while sideloading apps is still feasible, users have to go through a much more complex process in order to do so.
In either case, once the malicious app is sideloaded, not much can be done. The code usually runs in the background of the device, usually siphoning user information and making it available to the culprits.

The real thing: Pokemon Go craze exploited by hackers

Following its widely anticipated launch on July 6th of last year, Pokémon Go quickly became the most downloaded game of all time, reaching 15 million global downloads in just one week.
If you were keen to get the app, you’ll probably remember that it wasn’t available in all countries right away. It was actually rolled out in Australia and New Zealand prior to going live in the US. Due to mass unanticipated demand, the pressure on Niantic Lab’s servers was so great that the game started crashing. This caused it to halt its expansion plans while it dealt with capacity issues.
Users, therefore, started to seek out unofficial versions of the Pokémon Go application online. Sure enough, it had been uploaded for download on various sites as an APK file. Android users immediately started sideloading. This, of course, created a window of opportunity for hackers.
Among these APKs was a malicious Pokemon Go app that was infected with a remote access tool called “DroiJack” which would give attackers full control over a victim’s phone.
Luckily, this malware was caught early, and users were warned off sideloading these APKs from unofficial third parties.

sideloading apps

Protecting yourself

As a user, protecting yourself against APKs infected with malware requires vigilance. When downloading an app, it’s important to pay attention to the permissions requested. Apps requesting too many permissions for illegitimate-sounding reasons should be regarded with suspicion.
Another way to tell if an app is trustworthy, before giving it full access to your device, is to check the number of times it has been installed, as well as its reviews and comments. If this information isn’t available, taking the time to Google the developer of the app and read up on its reputation can give you a great deal of insight.

Protecting your business

For businesses, protecting their mobile estates against this practice is a challenge. Many companies simply have no way of knowing if or when users are sideloading apps to their devices. Yes, employees can be educated on the risks, but at the end of the day, it’s the organizations’ data on the line.
To address this concern, Wandera has released a new threat detection capability that flags all sideloaded apps that are installed on Android corporate devices.
This new feature notifies administrators of the sideloaded app installation in real-time and allows them to take the appropriate actions necessary to protect their fleet.
Rectification may include communication with the specific user(s), de-installation of the app through the MDM provider, and if deemed appropriate, an update to the company’s overall policy settings.
[text-blocks id=”3610″]