Decoy Apps – What Are They and What Role Do They Play?

finjanmobileBlog, Mobile Security

Decoy Apps

Having your mobile device fall into the wrong hands doesn’t always equate to “It was stolen.” Or hacked, for that matter.

As smartphones, tablets, and other portable storage media gain in popularity, these devices are increasingly becoming our preferred repositories for photographs, video clips, private documents, and business or personal information.

Allowing these resources and data to be viewed by third parties who aren’t authorized to have access to them in an official capacity – or whose access might breach the boundaries of privacy, sensitivity, or personal taste – could be just as damaging as the results of theft.

Preventing this from happening is where decoy apps have a role to play.

What Are Decoy Apps?

As its name suggests, a decoy app is a mobile application designed for the purpose of misdirection. It presents itself as one thing, while it actually does another.

And the thing that decoy apps generally do is hide stuff.  Like…

  • Text or “sext” messages to illicit sexual partners
  • Photos containing shots of you with people you shouldn’t necessarily be with – like lovers who are cheating on one or more of their respective partners
  • Call logs and contacts that could be traced back to people or organizations you shouldn’t be seeing or dealing with
  • Porn

How Do Decoy Apps Work?

A decoy app will generally provide tools for the creation of one or more hidden folders or “vaults” in the storage area of your mobile device. Files and data that you wish to conceal may be copied over to these secret stashes – often with the option to encrypt them, before the move. Once you delete the files from their original location, another user looking at your device won’t see the hidden folders (with their encrypted copies) in any directory or gallery listings.

The decoy app itself can’t be accessed without the security code or password you specify – and there may be options to set a “burner” or emergency password you can key in to erase all traces of the vault in extreme circumstances, or a code that simply leads to an innocuous front (like a folder of dummy images). Most importantly of all, the actual user interface of the decoy program masquerades behind the facade of another breed of software entirely.

Though several variants exist, some of the more popular ones include:

  • “SpyCalc” or “Smart Hide Calculator” apps, which present as a functional calculator, currency converter, or similar – but if you enter your pass code from its numeric pad, the calculator’s face gives way to the decoy app’s hidden folders management system.
  • “Audio Manager” type apps, which on the surface provide a functioning set of volume and sound controls for your device – but if you press on a given area of the screen, they’ll dissolve into the app’s vault manager.
  • “Best Secret Folder” variants, which take the form of a normal-looking (often empty) folder – but with a specially configured set of moves (tap a certain screen area, or enter a PIN code), the app gives access to a secret vault where you can hide apps you don’t want to be seen in launchers or your app drawer.

Why Use Decoy Apps?

Okay, here’s a confession: We pulled a bit of a decoy, in the preamble to this article.

While it’s certainly true that this type of app can be legitimately used to hide corporate data or intellectual property from prying eyes, the reality of the matter is that decoy apps are typically deployed for much less noble purposes. Like…

  • Hiding the call, text, or email evidence of unsanctioned personal or business relationships
  • Hiding documentary, photographic, or video evidence tying the device owner to individuals, organizations, or locations (physical or virtual) they shouldn’t legitimately be in personal or business contact with
  • Concealing illicit, pornographic, inflammatory, or otherwise sensitive material (including hate speech and the like) which might expose a device owner to criminal prosecution, religious or social persecution, or forms of exclusion
  • Concealing mobile apps that are being used to engage in offensive, dangerous, or illicit activities (and may involve any of the reasons outlined above)

Who’s Using Decoy Apps?

There’s anecdotal and forensic evidence to suggest that decoy apps are being employed by a wide range of users, representing different genders, age groups, social sectors, and motivations. Among these are:

  • Men and women using decoy apps to hide evidence that they’re cheating on their partners
  • Students at a U.S. high school (in Cañon City, Colorado) setting up an illicit ring for sharing nude and lewd photographs
  • Kids using decoy apps to hide text messages, call histories, documents, application use, and browsing activities from their parents
  • School students using the apps to hide messages and files used in waging cyber-bullying campaigns against their peers
  • Decoy apps may be making it easier for stalkers and sexual predators to plan and stage harassment campaigns, and to share images and videos with like-minded individuals
  • Criminal gangs are probably using decoy apps to facilitate illegal transactions (including drug deals, extortion, and theft), and to hide incriminating evidence from the eyes of local and regional authorities
  • Cyber-criminals may be using decoy apps to share intelligence, and/or to facilitate any number of different kinds of attack
  • There’s the very real possibility that terrorist networks and militia groups may be using decoy apps in a similar manner, or as a vehicle for waging hate campaigns and digital harassment

How Bad Is It?

For a 2015 interview, private investigator and computer forensic examiner Robert Namowicz of Spindletop Investigations compiled a list (which ran to 14 pages) of decoy apps readily accessible from mobile app stores – and that was just the apps he was capable of hacking into, himself.

In that same year, the Private Photo Vault decoy app was the 28th most downloaded photo and video app on the App Store, as determined by the mobile application measurement service App Annie.

And decoy apps have been increasing in availability and complexity, ever since. According to technology journalist and former detective Cindy Murphy, these apps are introducing a whole new level of complexity into the work of digital forensic investigators.

Some Recommendations for Parents

For parents concerned about what their children are getting up to within the hidden recesses of their own machines, there are several recommendations:

The iOS ecosystem provides some protection in the form of its “Ask to Buy” controls, which allow parents to screen mobile apps before they’re downloaded to their children’s iPhones. Configuration procedures (which require activation of Family Sharing) are available on the Apple website.

Similar parental vetting procedures may be set up at Google’s Play Store, with rules governing the maturity level at which children may be permitted to download and install certain apps.

Specialist applications are also available for tighter controls. These include the likes of the AppLock application locker (of which there are several variants), which may be configured to deny access to certain apps unless the correct PIN code or password is entered.

Share this Post