Detta är en HTML-version av en bilaga till begäran om allmän handling 'Digital Services Act / Digital Markets Act'.

Building a Trusted 
Ecosystem for 
Millions of Apps
A threat analysis of sideloading
October 2021

Key Insights
iPhone is a highly personal device where users store some of their most sensitive 
and personal information. This means that maintaining security and privacy on the 
iOS ecosystem is of critical importance to users. However, some are demanding 
that Apple support the distribution of apps outside of the App Store, through direct 
downloads or third-party app stores, a process also referred to as “sideloading.” 
Supporting sideloading through direct downloads and third-party app stores 
would cripple the privacy and security protections that have made iPhone so 
secure, and expose users to serious security risks. 

Mobile malware and the resulting security and privacy threats are 
increasingly common and predominantly present on platforms 
that allow sideloading.
A European regulatory agency 
15–
reported 230,000 new mobile 
malware infections per day.

47x
more infections
Over the past four years, Android 
Nearly 6 million attacks per 
devices were found to have 
month were detected by a large 
15 to 47 times more malware 
security firm on its clients’ 
infections than iPhone.
Android mobile devices.
Mobile malware harms consumers, companies, developers, and advertisers. 
Attacks on users employ various tactics and techniques. Common types of mobile 
malware affecting consumers are adware, ransomware, spyware, and banking and 
other credential-stealing trojans that masquerade as legitimate apps. Cybercriminals 
often reach their targets through social engineering or supply chain attacks, and 
sometimes use popular social media networks to spread the scams and attacks. 
Most rely on third-party app stores or direct downloads to spread malicious apps. 
Developers and advertisers are also harmed by these attacks, mostly through piracy, 
intel ectual property theft, and loss of advertising revenue.
2

If Apple were forced to support sideloading:
•  More harmful apps would reach users because it would be easier for 
cybercriminals to target them – even if sideloading were limited to 
third-party app stores only.
 The large amount of malware and resulting 
security and privacy threats on third-party app stores shows that they do 
not have sufficient vetting procedures to check for apps containing known 
malware, apps violating user privacy, copycat apps, apps with il egal or 
objectionable content, and unsafe apps targeted at children. Users would 
now be responsible for determining whether sideloaded apps are safe, a 
very difficult task even for experts. In the rare cases in which a fraudulent 
or malicious app makes it onto the App Store, Apple can remove it once 
discovered and block any of its future variants, thereby stopping its spread 
to other users. If sideloading from third-party app stores were supported, 
malicious apps would simply migrate to third-party stores and continue to 
infect consumer devices. 
•  Users would have less information about apps up front, and less control 
over apps after they download them onto their devices. Users may not get 
accurate information about apps they sideload through third-party app stores 
or via direct downloads because these app stores would not be required to 
provide the information displayed on the App Store product pages and privacy 
labels. And features like App Tracking Transparency and parental controls 
that al ow users to control what iPhone data, hardware, and services can be 
accessed by those apps (such as the device’s location, microphone, and 
camera) either would not be available or would be much easier for malicious 
actors to manipulate. Large companies that rely on digital advertising al ege 
that they have lost revenue due to these privacy features, and may therefore 
have an incentive to distribute their apps via sideloading specifical y to bypass 
these protections. Privacy on the iOS platform would therefore be eroded. 
•  Some sideloading initiatives would also mandate removing protections 
against third-party access to proprietary hardware elements and 
non-public operating system functions.
 This would undermine core 
components of platform security that protect the operating system and iPhone 
data and services from malware, intrusion, and even operational flaws that 
could affect the reliability of the device and stop it from working. This would 
make it easier for cybercriminals to spy on users’ devices and steal their data. 
3

Even users who don’t want to sideload and prefer to download 
apps only from the App Store would be harmed if sideloading 
were supported.
•  Users could be forced to sideload an app they need for work or school. 
Users also may have no choice other than sideloading an app that they need to 
connect with family and friends because the app is not made available on the 
App Store. For example, if sideloading were permitted, some companies may 
choose to distribute their apps solely outside of the App Store.
•  Cybercriminals may trick users into sideloading apps by mimicking the 
appearance of the App Store, or by touting free or expanded access to 
services or exclusive features.

By reviewing every app before it becomes available on the App Store to ensure it is 
free of malware and accurately represented to users, and by swiftly removing apps 
from the App Store if they are found to be harmful and limiting the spread of future 
variants, Apple protects the security of the ecosystem. Sideloading, through 
either direct downloads or third-party app stores, would undermine Apple’s 
security and privacy protections, and is not in the best interest of users’ 
security and privacy.

4

link to page 7 link to page 10 link to page 17 link to page 19 link to page 20 link to page 20 link to page 22 link to page 27 link to page 28 “ We’re trying to do two diametrical y opposed things 
at once: provide an advanced and open platform to 
developers while at the same time protect iPhone 
users from viruses, malware, privacy attacks, etc. 
This is no easy task.” 
  Steve Jobs, October 17, 2007
Contents 
The current mobile threat landscape 
7
Snapshot of common consumer mobile malware 
10
How mobile malware attacks access users’ devices 
17
The risks of opening the ecosystem 
19
The limited mechanism to distribute apps outside  
of the App Store 

20
The impact of sideloading on the iOS ecosystem 
22
Sideloading and iOS users 
27
Guidance from security experts 
28

When iPhone was developed, PCs were the world’s primary computing 
tools, and they were riddled with viruses.
 PC users often encountered serious 
reliability issues because downloading software or visiting a website could result 
in their machines becoming infected with malware. Apple designed iPhone with 
the knowledge and intention that it would be a highly personal device where users 
would store some of their most sensitive and personal information, and could be 
used by a much larger and more diverse user base than was the case with PCs. 
They would keep it with them wherever they went and rely on it during emergencies. 
iPhone could not fall victim to the fate of PCs – it needed to be different.
To provide reliability and security for users while establishing a platform for 
third-party developers to create and distribute apps, Apple built industry-
leading security protections into iPhone and created the App Store, a trusted 
place where users could safely download vetted third-party apps.
 This 
approach has been effective: It is extremely rare for a user to encounter malware on 
iPhone. However, some are demanding that Apple support the distribution of apps 
You can read Apple’s June 
outside of the App Store, through direct downloads or third-party app stores, a 
2021 paper, "Building a 
process also referred to as “sideloading.” Supporting sideloading would cripple the 
Trusted Ecosystem for 
privacy and security protections of the iOS platform and expose users to serious 
Millions of Apps: The 
security risks.
important role of App 
Store protections,
" to see 
how a family’s everyday 
Sideloading on iPhone would open opportunities for cybercriminals. Malicious 
experience using their 
actors would be galvanized to develop tools and expertise to attack iPhone users 
iPhone would be different 
because of the additional opportunities and distribution channels sideloading would 
with sideloading.
provide. The increased risk of malware attacks would put all users at greater risk, 
even those who prefer to download apps only on the App Store. Plainly, sideloading 
is not in the best interest of users. Developers would be harmed as wel , because 
the increased threat from sideloading would erode users’ trust in the ecosystem, 
resulting in many users downloading fewer apps from fewer developers, and making 
fewer in-app purchases. Developers would also be harmed by the proliferation 
of fake and copycat apps, as well as pirated apps.

6

The current mobile threat landscape
Mobile security threats are increasingly common, especially on platforms 
that support sideloading.
 The European Union’s cybersecurity agency, ENISA, 
reported the detection of 230,000 new mobile malware infections per day – i.e., 
84 mil ion per year – in 2019 and early 2020.1 Kaspersky Lab, Europe’s largest 
cybersecurity services provider, estimated that in 2020, nearly 6 mil ion attacks 
per month affected Android mobile devices owned by its clients.2,3
These threats are predominantly present on platforms that support 
sideloading:
 Recent studies have shown that devices that run on Android – a 
platform that supports sideloading – have an estimated 15 to 47 times more 
infections from malicious software than iPhone.4,5 
Mobile apps containing security threats pose significant risks.4,6 As a result, 
app review processes in first-party app stores (i.e., the App Store on iOS devices, 
and Google Play on Android devices) have become increasingly thorough and 
necessary to prevent security threats from reaching consumers. However, such 
app review protections are not always thorough, or even available at al , when users 
sideload apps from third-party app stores or direct downloads. 
Malware-infected mobile apps put all stakeholders in the mobile ecosystem 
at risk.
 While consumers are often the primary targets, malware attacks can harm 
and expose developers, online advertisers, and even businesses that are not direct 
participants in the mobile app ecosystem. Consumers who are victims of malware 
attacks are defrauded by cybercriminals, have their privacy and sensitive data 
compromised, and waste time and energy dealing with the consequences of the 
attacks.7 Malware-infected mobile apps are also often the first step in complex 
multi-step campaigns that al ow cybercriminals to carry out a variety of attacks 
targeting a victim’s financial resources.8,9,10 On platforms that support sideloading, 
many consumers have also needed to add antivirus services on their devices to 
attempt to stem the problem – at a cost of $3.4 bil ion per year for those services. 
In 2021, an estimated 1.3 bil ion smartphones worldwide were equipped with 
security solutions – four times as many as in 2016.11 Cybercriminals, however, 
are always a step ahead, meaning antivirus services are an incomplete patchwork 
solution to the growing malware problem.12 
7

Malware designed to infect an individual’s mobile device can also affect 
corporate data and corporate networks.
 There are many ways that hackers 
attack companies, for example by using phishing or attacking unpatched systems, 
and mobile malware has become an additional avenue to do so.13,14,15 With many 
organizations around the world adopting Bring Your Own Device (BYOD) policies 
that encourage employees to use their personal devices on corporate networks, 
mobile malware attacks can provide bad actors a direct route into corporate 
networks, which has led to an increase in threats targeting mobile devices.16,17,18 
Many IT and security experts have attributed certain data breaches to employees 
failing to secure sensitive corporate information on their mobile devices, and a study 
of corporate data breaches identified Android apps as one delivery method for 
malware.10,19 Once bad actors manage to gain access to a corporate network, firms 
then face all types of attacks and security risks, such as ransomware, data theft, or 
loss of control of their network, all of which can lead to the loss of customer trust 
and litigation.20 
CORPORATE COSTS OF MALWARE ATTACKS
 
Firms face high costs from malware attacks, which can originate 
via mobile apps, among other sources:
One single mobile device 
Among 1,800 US firms, 46 
infected with malware costs 
percent had at least one 
an organization an average 
employee download a malicious 
of nearly $10,000.19
mobile app that threatened the 
company’s network and data.21
DATA BREACHES
RANSOMWARE 
Data breaches, which can originate from 
More than half of companies surveyed 
mobile app malware, cost firms an average 
in France, Spain, Germany, and other 
of over $4 million per breach, with 
European countries suffered a ransomware 
estimates reaching up to $50 million.19, 22
attack in 2019. Ransomware attacks, 
which can originate from mobile malware, 
cost companies more than $750,000 to 
remediate on average.23
LOST BUSINESS
Out of that $4 mil ion, over $1.5 million is due 
to lost business. This cost includes the harm 
to reputation, which makes it more difficult 
for these firms to acquire new customers.22
8

Developers and advertisers are also harmed by cybercriminals. When pirating 
an app, cybercriminals illegally distribute another developer’s app, primarily through 
third-party sources (including third-party app stores), causing the developer 
to lose out on the app’s revenue.24,25 Cybercriminals may remove or replace 
the monetization tools that al ow the developer to earn revenue, such as in-app 
purchases or advertising. In other cases, bad actors copy the design, branding,  
or content from another developer, profiting off of stolen intel ectual property.26,27 
This means that app piracy and intel ectual property theft cause developers to 
lose out on revenue. Several game developers, for example, have reported that 90 
percent of their app instal ations on Android devices are pirated versions for which 
they earn no revenue.24,25 Cybercriminals often target paid games, profiting by 
creating pirated versions of successful games such as Monument Val ey, the Grand 
Theft Auto series, or Alto’s Adventure.24,25
Advertisers are also harmed by mobile malware when cybercriminals and hackers 
use techniques such as click fraud and ad stacking, which frequently operate 
through sideloaded apps.28 Click fraud malware automatical y directs traffic to web 
pages containing ads or clicks on ads to generate revenue on a per-view or per-
click basis, respectively.29 With ad stacking, malware layers multiple advertisements 
over one another so that, while the user only sees the top one, the advertiser is 
fraudulently bil ed for all the ads.30 Damages to legitimate advertisers from inflated, 
fraudulent ad traffic are estimated to amount to bil ions of dol ars.30,31 
Threats to mobile users have only compounded due to the increased reliance 
on mobile devices driven by the coronavirus pandemic.
 For example, consumers 
are now more likely to store personal health information on their devices, a type of 
valuable data that hackers can sel  to multiple buyers.32,33 Firms increasingly rely 
on BYOD policies to support remote work.17 These dynamics have created more 
opportunities for bad actors and increased the number of threats to mobile users. 
For example, mobile phishing – using fake messages to trick users into revealing 
confidential information or downloading malware – has increased by 37 percent.34 
Hackers have embedded malicious malware in COVID-19 apps and resources.35 
And healthcare-related networks have experienced 15 percent more coronavirus-
related malware attacks per user across mobile devices, tablets, and PCs than the 
average network.34
9

Snapshot of common consumer mobile malware
Mobile malware attacks against consumers take many forms and use 
various tactics and techniques to attack them.
 The most common types 
of consumer mobile malware are adware, ransomware, spyware, and banking 
and other credential-stealing trojans masquerading as legitimate apps. (See 
Snapshot below.) Once attackers gain access to a device, they often use 
multiple tactics to exploit their targets: For instance, they can infect the device 
with both adware and spyware. 
Snapshot of common consumer mobile malware
Adware
Ransomware
Consumer 
Banking and 
spyware
credential- 
stealing trojans
GOAL
Generate ad revenue 
Extract money from 
Use data to target users
Access a device to steal 
by serving the user 
infected user, promising 
banking information 
aggressive (or 
to "release" a hijacked 
Sell data to hackers
or other user login 
fraudulent) ads
device in exchange
Conduct intimate partner 
credentials
surveil ance (IPS)
IMPACT 
Nuisance in the form of 
Loss of access to device 
Violate users’ privacy
Stolen credentials (e.g., 
ON USER
excessive pop-up ads
and critical files
IPS: Enables abuse, 
banking login, social 
Harms performance 
Data loss
potential physical and 
media account login)
of device
Financial harm if user 
mental harm
Harm from stolen 
pays ransom
credentials (e.g., fraud)
Note: This table reflects classifications proposed by cybersecurity firms such as Kaspersky Lab, Malware-
bytes, WeLiveSecurity by ESET, Norton, and Nokia, and government agencies such as the European Union 
Agency for Cybersecurity (ENISA).
10

Adware. Present in over half of mobile attacks, adware serves users invasive 
advertisements to generate advertising revenue.36,37,38 Adware can infiltrate 
mobile devices through apps, manifesting as pop-ups, redirections, clicker 
trojans, and unwanted installations.39
HiddenAds: Adware that hides 
inside free apps and games to 
Other examples 
display intrusive ads
of adware 
FakeAdsBlock, a sideloaded 
WHO IT AFFECTS 
Android trojan posing as 
a legitimate ad blocker,
 
Since its discovery in 2020, there 
Settings
pollutes the device with 
have been over 30,000 recorded 
pop-ups and redirections. 
HiddenAds attacks, affecting 
It is very difficult to remove.40 
HOW IT WORKS
users worldwide. 
HiddenAds displays various 
Android.Click.312.origin 
HOW IT REACHES A USER’S DEVICE
pop-up ads and website redirec-
clicker trojan is embedded 
tions in the device’s browser to 
in many legitimate apps. 
Apps infected with HiddenAds 
generate advertising revenue for 
It generates ads on the 
adware masquerade as genuine 
the malicious actor. 
apps and can load websites 
Android apps, such as fake 
without user knowledge.41 
versions of FaceApp – a popular 
HOW IT HIDES
photo modification app – and a 
CopyCat infects Android 
Call of Duty game.37 YouTube 
Once instal ed, the app appears as 
devices with adware and 
videos advertise these fake apps 
a fake settings icon. The icon can 
rooting malware. It spreads 
as free versions of legitimate 
even disappear with the adware 
through tampered copies 
apps and include download links.
stil  running in the background.
of popular apps released 
on third-party app stores.42 
In two months in 2016, 
CopyCat malware infected 
more than 14 million Android 
devices around the world.43
11

Ransomware. Another common type of mobile security attack, ransomware, 
general y targets individual users by blocking a device’s interface, preventing users 
from using it until a ransom is paid, or by encrypting files in the device and only 
decrypting them after a payment is made.44,45 Cybercriminals using ransomware 
often steal sensitive data and threaten to spread it.46 In 2020, more than 4.2 mil ion 
mobile users in the US alone were victims of mobile ransomware attacks.47,48 These 
attacks have become more common, fueled by the coronavirus pandemic and the 
rise of cryptocurrency, which cybercriminals can trade to avoid being traced.34,47,49,50 
CryCryptor: Ransomware 
poses as an official 
COVID-19 tracing app 
Your files are 
compromised
Other examples 
and encrypts users’ files
of ransomware
Fusob ransomware trojans 
CryCryptor ransomware poses 
created two fake Health Canada 
are designed to lock a 
as an official COVID-19 tracing 
websites through which they offered 
device while stealing call 
app from government agency 
their ransomware app. Preying on 
history, location history, and 
other sensitive data.
 These 
Health Canada to trick users into 
people’s anxiety and uncertainty 
trojans have targeted users 
sideloading it. Once installed, 
surrounding the COVID-19 pandemic, 
in Europe and the US.53,54 
CryCryptor encrypts files on the 
they tricked Android users into 
device and provides an email 
sideloading CryCryptor from these 
MalLocker.B, a family of 
address to contact to proceed 
fake websites.
Android malware distributed 
with ransom payment and file 
via sideloading, displays 
recovery.51,52
HOW IT WORKS
a ransom note over every 
other app window, 
ensuring 
CryCryptor was developed from 
that the target cannot use 
WHO IT AFFECTS 
CryDroid, an open-source ransoware. 
any other features of the 
CryCryptor targets Android users  
Once downloaded, CryCryptor 
phone.55,56
in Canada. 
requests permission to access files 
on the Android device. Then, the 
HOW IT REACHES A USER’S DEVICE
malware encrypts common file types, 
In June 2020, mere days after 
including photos, videos, and PDFs. 
the Canadian government 
A ransom note is attached to each 
announced plans to roll out a 
encrypted file directory, containing 
COVID-19 contact-tracing app, the 
an email address to contact regarding 
cybercriminals behind CryCryptor 
payment and file recovery.
12

Consumer spyware. Spyware monitors the device’s user and steals 
Examples 
sensitive information, such as messages, photos, and videos.57 Spyware 
of spyware
can harm both individuals (e.g., via identity theft or stalking) and businesses 
and organizations (e.g., via corporate espionage).58 Certain invasive forms of 
spyware can directly access a device’s microphone or camera.59,60 Consumer 
FluBot is a strain of spyware 
spyware is distinct from the highly sophisticated and narrowly targeted 
that behaves and spreads 
forms of spyware executed by nation-states via intel igence agencies. Unlike 
very similarly to FakeSpy. (See 
spyware developed or sponsored by nation-states, consumer spyware is 
below.) FluBot poses as a DHL 
designed to target a broad set of users, and is relatively cheap to produce 
package tracking app across 
Europe, and focuses its attacks 
and distribute on platforms that support sideloading. In 2020, a third of all 
in the UK and Finland.68,69
Android malware attacks involved spyware.4 
 
 
Spyware has also been used by abusers to surveil intimate partners and 
SpyNote spreads as a  
their mobile devices. Apps containing such software, known as stalkerware
sideloaded, fake version of 
Netflix
 that can take control 
are used to track location, messages, emails, and photos, and to access 
of a device’s microphone, 
the device’s camera in real time. The use of such apps is associated with 
contacts, and messages.70 
harassment, stalking, and domestic violence. In the last few years, the 
 
FTC has taken action against two US companies that sold stalkerware that 
 
HelloSpy, a type of stalkerware 
al owed stalkers and domestic abusers to track their victims on Android 
available only through side-
devices.61,62 In both cases, even though the apps were not distributed on 
loading, records the target’s 
Google Play, abusers were able to sideload the apps onto victims’ devices. 
GPS location, phone calls, 
The FTC’s intervention was therefore critical in removing the apps from 
messages, photos and videos, 
and other data.71 It is marketed 
distribution.61,63
to “catch cheating spouses.”72
Kaspersky Lab discovered 
over 50,000 users who were 
affected by stalkerware
 in 
2020.65
One survey found that more 
The vast majority of 
than half of abusers tracked 
stalkerware is distributed 
their victims’ mobile phones 
outside of first-party app 
using stalkerware apps.64
stores.65
13





FakeSpy: Malware poses as fake 
package delivery messages to spy 
on users and steal their data
Today
You need to sign for a package, 
please see https://post-a.top/
Now
Royal Mail
USPS Mobile
JP Post
Swiss Post
 
⤷ Fake messages attempt to trick users into  
⤷  FakeSpy app icons mimic those of 
sideloading FakeSpy via fraudulent postal 
legitimate postal services around 
service apps.
the world.
FakeSpy uses SMS 
WHO IT AFFECTS
Taiwan (Chunghwa Post). 
phishing to trick people 
Android users in France, 
To trick potential victims, 
into sideloading an Android 
Switzerland, Germany, the 
the sideloaded app’s icon 
app that masquerades as 
UK, the US, Japan, and 
resembles the official app 
a legitimate postal service 
Taiwan, among others.
icon for one of these official 
app. Once downloaded, it 
mail services. 
steals sensitive information 
HOW IT REACHES 
from the device.66,67
A USER‘S DEVICE 
HOW IT WORKS
FakeSpy is actively evolving 
A target receives a text 
Once the user has sideloaded 
to include new evasion 
message claiming that the 
the app, it requests 
strategies and spying 
postal service attempted 
permissions that allow it 
capabilities. FakeSpy 
to deliver a package, and 
to obtain text messages, 
proliferates by sending 
that the user should track 
contact lists, call logs, 
SMS phishing messages to 
or sign for it. The message 
network information, recently 
the infected user’s contact 
contains a link to a website 
run tasks, and information 
list.66 It is also expanding to 
that prompts users to 
about other apps.  
mimic more legitimate postal  sideload the fake delivery 
services around the world to 
tracking app. FakeSpy 
HOW IT HIDES
target new groups of users.
has masqueraded as mail 
After the user launches the 
services in France (La 
app, it deceptively redirects 
Poste), Switzerland (Swiss 
them to the real postal 
Post), Germany (Deutsche 
service website, which helps 
Post DHL), the UK (Royal 
the app remain undetected 
Mail), the US (USPS), 
as malware.
Japan (Japan Post), and 
14

Banking and other credential-stealing trojans. Common types of 
mobile malware are banking and other credential-stealing trojans. 
Disguised as legitimate apps, they aim to steal users’ credentials from 
banks, government accounts, or social media accounts, for example. 
Some banking trojans are capable of bypassing two-factor authentication 
security measures.73 The goal of banking trojans is to ultimately steal the 
credentials and money from the target’s bank account.74 Banking trojans 
are most commonly sideloaded.74 
BlackRock: An Android trojan 
poses as a fake version of 
Other examples 
See if you 
have friends 
on Clubhouse
of banking and 
Clubhouse to steal login 
GET IT ON
 
Google Play
credential-stealing 
credentials
trojan apps
Banker.BR, an Android trojan, 
BlackRock is an Android trojan 
HOW IT WORKS
uses screen overlays to steal 
that steals login credentials from 
The trojan poses as a Google update, 
banking information in Spain 
over 450 online services, and tricks 
and Portugal.77 
and asks for Accessibility Service 
users into sideloading it by posing 
privileges. With those privileges, it 
 
as the Clubhouse app.75,76 
can grant itself further privileges 
TeaBot, a banking trojan, 
to function without requiring user 
impersonates many popular 
apps
 in Western Europe to 
WHO IT AFFECTS 
input.76 The next time the user opens 
steal banking information 
Android users in Europe and other 
one of the targeted apps, such as 
and gain remote access to 
BBVA, Lloyds Bank, or Facebook, 
devices.
parts of the world.
78,79
 
the trojan launches a screen overlay 
 
HOW IT REACHES A USER’S DEVICE
window over the app’s interface that 
Since 2017, Anubis banking 
records the user’s login credentials 
trojans have posed as the 
BlackRock spreads via a spoofed 
as they are typed. The trojan can 
apps of over 300 financial 
version of the Clubhouse website. 
access text messages, which al ows 
institutions and other types 
When a user clicks “Get it on 
of apps.80 Once installed and 
it to defeat two-factor authentication. 
activated, the apps request 
Google Play,” the trojan is automat-
unnecessary permissions 
ical y downloaded.
HOW IT HIDES
that allow them to execute 
nefarious commands. The 
When the trojan is first launched 
malware predominantly uses 
on the device, it hides its app icon, 
phishing to trick people into 
thereby making itself invisible to  
providing their bank account 
information.
the user.
15

Other forms of malware. Other wel -known forms of malware, while 
similar to consumer malware, are typical y not delivered through mobile 
apps and not targeted at everyday consumers.
•  Nation-state spyware is developed and sponsored by state actors 
via intel igence agencies or private contractors, often with the goal of 
advancing a nation’s intel igence or national security objectives. Unlike 
consumer spyware, nation-state spyware is highly sophisticated, costs 
mil ions of dol ars to develop, is typical y not delivered via apps, and is 
used to target specific individuals.81,82,83
•  Enterprise ransomware occurs when criminals take control over 
corporate networks and demand ransom from the affected company  
in exchange for restoring access or preventing the cybercriminals  
from publicly releasing sensitive data stolen from the victim’s 
network.84 Enterprise ransomware differs from mobile ransomware 
attacks (in which a consumer’s device and personal data are held 
ransom), although employees’ mobile devices can be an entry point  
for cybercriminals targeting corporations.
16

How mobile malware attacks access users’ devices
Cybercriminals and hackers can distribute malware to users through third-
party app stores and via direct downloads from websites or even as email 
attachments.
8 As described below, a huge majority of malware – over 99 percent 
– comes from sideloaded apps, because first-party stores like the App Store have 
protections in place that prevent these distribution techniques from targeting 
users. The most common way for malware attackers to reach their targets is 
through social engineering or spoofing,
 i.e., using deception and manipulation as 
techniques to obtain users’ trust and get access to their devices. One study found 
that 98 percent of all cyberattacks rely on social engineering.18 Hackers sometimes 
use social media networks to spread scams and attacks, exploiting people’s trust in 
their friends and family.85,86 There are many ways in which spoofing attacks, which 
are more likely to happen through sideloaded apps, try to obtain users’ trust:
Copycat apps (or fake apps) copy the name, interface, and functionalities of other 
apps to acquire some of their users.87,88 They capitalize on users’ trust in popular 
(and legitimate) apps, such as Netflix, Candy Crush Saga, and Clubhouse, possibly 
hurting the image and reputation of those legitimate developers.70,89 Commonly 
downloaded via sideloading, these apps have fooled tens of mil ions of users 
worldwide.43,90,91
Fake system updates are a common spoofing technique in which malware 
pretends to be a system update, tricking users into downloading it and providing 
access to their devices. For example, a sideloaded Android app posed as a system 
update to infect users’ devices.92
Email and phishing messages are another technique that malware attacks  
employ to convince users to download malware, appearing to be from senders the 
users trust.8,93 These phishing messages commonly spread through social media 
apps. For example, FlyTrap, a malicious trojan on third-party app stores, spreads 
by hijacking users’ Facebook accounts to send personalized messages to victims’ 
social connections with links to the trojan.85 In Spain, people received mobile 
messages advertising and containing a link to sideload a fake and malware-ridden 
“Coronavirus Finder” app.94 In India, users received personalized SMS messages 
urging them to download a copycat of the tax-filing app from the official Income 
Tax Department of India. The app contained malware designed to steal their 
personal and financial information.95
17

Website spoofing creates legitimate-looking websites that contain malware.96 
These websites frequently lead to malicious apps available for sideloading.  
Examples include the aforementioned BlackRock Android trojan that spoofs the 
website of the Clubhouse app, luring unsuspecting users into downloading the 
trojan app instead of the legitimate app.76
Scareware tricks users by claiming to detect threats to the device, often offering 
solutions to those threats that involve sideloading an app containing malware.97,98 
For instance, Armor for Android falsely warns people that malware has been 
detected on their devices, advising users to download its antivirus app, which  
then scams them.99 
Potentially unwanted applications are software packaged along with genuine 
apps that tailgate their way onto devices when users install the genuine apps. 
They can contain malware and drain devices’ resources.100 For example, over 100 
Android apps, with more than 4.6 mil ion combined downloads, contain the Soraka 
potential y unwanted application adware.101
Hackers can also use supply chain attacks to infect user devices. Instead of 
tricking users into downloading infected apps, these attacks infiltrate and spread by 
tricking developers of legitimate apps.102 One way those attacks have proliferated 
is through infected software development kits (SDKs), the building blocks used by 
app developers to build apps.103 Cybercriminals and hackers can deliver malware 
to users by modifying and inserting malicious code in SDKs used by unsuspecting 
developers.104 These attacks take advantage of the trust that users have in apps 
made by legitimate developers. For example, SWAnalytics, an Android data 
analytics SDK, hides Operation Sheep, a contact-stealing malware package. As 
of March 2019, 12 Android apps infected with this malware, with over 111 mil ion 
downloads, had circulated in major third-party app stores.105 
Hackers often reuse the same malware strain, which they repackage into 
variants. 
Rather than creating entirely new malware – a costly endeavor – hackers 
modify existing malware into new versions to either improve it or spread it in other 
ways. Malware variants for Android have grown significantly in recent years.106,107
SDK
</>
App
18

The risks of opening the ecosystem
Because cybercriminals and hackers rely heavily on apps to spread malware, 
first-party app stores have invested in extensive processes to screen and 
remove malicious apps.
108,109,110 As the threat of malware has increased, these 
screening processes have become stricter and have dedicated a greater amount of 
resources to reviewing apps.111,112 And, if harmful apps are found on first-party app 
stores, they can be removed from distribution, preventing further user exposure.113,114
On the other hand, the large amount of malware on third-party app stores 
shows they do not have sufficient vetting procedures to check for harmful apps 
(and direct download websites have no independent vetting), so cybercriminals and 
hackers have relied on third-party app stores or direct downloads to spread their 
apps, taking advantage of the lack of oversight and the inability to control the spread 
of malware: Over 99 percent of known mobile malware originates on third-party app 
stores.15,18 A study of malicious apps on Android found that once a malicious app is 
detected and removed from one app store, it often simply migrates to other third-
party stores, and thus continues infecting consumer devices.115,116 
Because Android supports sideloading, malware has been able to spread on 
that platform more easily.
 Android smartphones are the most common mobile 
malware targets and have recently had between 15 and 47 times more infections 
from malicious software than iPhone.4,5 A study found that 98 percent of mobile 
malware targets Android devices.18 This is closely linked to sideloading: In 2018, 
for example, Android devices that instal ed apps outside Google Play, the official 
Android app store, were eight times more likely to be affected by potential y harmful 
applications than those that did not.103 For example, as previously discussed, 
HiddenAds, CopyCat, FakeSpy, and BlackRock are all prominent malware strains that 
reached Android users via third-party sources. In addition, because cybercriminals 
and hackers rely on sideloading to spread pirated apps, piracy and intel ectual 
property theft are more common on Android devices.24,25,117 On the other hand, iOS 
users are unlikely to be exposed to malware, and many of the rare malware attacks on 
the platform are narrowly targeted attacks, often carried out by nation-states.82,83,118 
Experts general y agree that iOS is safer compared to Android, in part because 
Apple does not support sideloading.5 
If regulations force platforms to support sideloading without any user 
protections, the harm to users could be even greater.
 The Android platform 
currently retains some features that discourage sideloading by adding “friction” 
for users – additional steps and warnings that prevent users from sideloading apps 
without realizing it. For example, devices are set up not to sideload as a default 
option, and corporate entities can disal ow device-wide sideloading on employees’ 
devices.119,120,121 Should regulations force platforms to support sideloading without 
any friction, the threat of malware, piracy, and intel ectual property theft on both 
platforms would likely be higher as a result.
19

Apple tightly controls 
the Developer 
Enterprise Program

The limited mechanism to distribute apps outside 
of the App Store
Only legal entities that have 
Apple’s own experience with supporting the ability of a limited number of 
validated their reasons for 
enterprise developers to distribute apps outside of the App Store shows 
using the program are eligible, 
that cybercriminals and even for-profit companies will go to great lengths 
and they can only distribute 
apps to their employees. 
to bypass the App Store so they can spread malware and other illegitimate 
apps. 
Apple created the Developer Enterprise Program to provide a way for large 
organizations to develop and privately distribute apps (for instance, confidential 
Apple can and does revoke the 
apps that cannot go through App Review), for use only by their organization’s 
developer certificates of busi-
nesses that misuse them. 

employees. Under the tightly control ed program, Apple issues certificates to 
businesses, which al ow them to distribute apps directly to their employees 
under their IT departments’ supervision. 
Employees who download 
apps created through the 

Despite the program’s tight controls and limited scale, bad actors have 
program must go into their 
device settings and affirm that 

found unauthorized ways of accessing it, for instance by purchasing 
they trust the business – their 
enterprise certificates on the black market. Bad actors have used il egitimately 
employer – which ensures users 
obtained enterprise certificates to distribute apps that violate App Store policies, 
truly intend to download an app 
including apps containing malware such as Goontact (see below) and pirated 
from outside of the App Store. 
versions of popular iOS apps.122,123 Abuse of the Developer Enterprise Program 
is not limited to cybercriminals. In 2019, for example, Apple revoked Facebook’s 
Most enterprise customers do 
enterprise certificate because it was used to distribute a VPN app cal ed 
not use the program, as Apple 
Facebook Research that col ected mobile data and usage habits – such as web 
offers businesses alternative 
ways to distribute apps to their 

searches and browsing history, messages, and location data from Facebook 
employees to limit participation 
users – targeting some as young as 13.124,125 Enterprise certificates are meant only 
in the Developer Enterprise 
for internal use by a company, and are not intended for general app distribution, 
Program. For instance, busi-
as they can be used to circumvent App Store and iOS protections.
nesses can submit apps for 
custom app distribution on the 
App Store, a process by which 
Apple has increased efforts to tighten controls on the program and add user 
each app goes through the 
protections, but abuse has persisted. This demonstrates the enormous risk 
App Review process before 
posed by forcing Apple to support the ability of any developer to distribute 
becoming available within the 
apps outside of the App Store to all iPhone users. If the option to distribute 
organization. Learn more here: 
developer.apple.com/custom-
apps via sideloading were available on a massive scale, without any restrictions, 
apps/.
and with Apple powerless to revoke certificates from bad actors in cases of 
abuse, malware and other forms of il egitimate apps would run rampant. 
20

Goontact: Adult video 
chat sites lure targets into 
downloading spyware
Allow 
“Telegram” to 
access your 
camera? 
Goontact is multi- 
Under the pretense of 
HOW IT TARGETS iOS USERS
platform spyware that 
improving video or audio 
Goontact abuses the privi-
reaches users’ devices 
quality, operators prompt 
leges of the Apple Developer 
through infected adult 
targets to sideload a wel -
Enterprise Program by 
video chat apps. The 
known video-chatting app 
obtaining unauthorized enter-
spyware targets Android 
(such as Telegram) from 
prise certificates. While Apple 
users via sideloaded apps, 
a website that mimics the 
revokes these certificates as 
and is also able to target 
design of a first-party 
soon as they are discovered, 
iOS users by abusing the 
app store, guiding them 
the malicious actors can 
Apple Developer Enter-
through the process 
keep spreading their malware 
prise Program.122
and coaxing them to 
through sideloading when 
enable access privileges. 
they procure additional illegit-
WHO IT AFFECTS
However, the sideloaded 
imate certificates.
app is fake and infected 
Goontact is currently 
with spyware.
active across both Android 
ADDITIONAL LAYER OF ATTACK
and iOS platforms, and 
During the first video chats 
HOW IT WORKS
primarily targets users 
with a Goontact operator, 
in China, Japan, Korea, 
After Android users 
the cybercriminals record a 
Vietnam, and Thailand. 
accept a prompt to grant 
compromising video of the 
Goontact permissions, it 
target to use as blackmail. 
HOW IT REACHES
col ects data on contacts, 
After users download the 
A USER’S DEVICE
SMS messages, location, 
app, the spyware steals their 
photos, and the device 
Malicious actors lure 
contacts and the cybercrim-
identifier. On iOS devices, 
targets to websites 
inals threaten to release the 
the spyware can only 
promising adult video 
video to their contact lists 
col ect contacts and 
chats. However, they 
unless a ransom is paid.
device identifier data.
are instead connected 
with Goontact operators. 
21

The impact of sideloading on the iOS ecosystem
Forcing sideloading onto the iOS ecosystem would make iPhone less 
secure and trustworthy for users. This would be true regardless of whether 
sideloading occurred via direct downloads or through third-party app stores.
 
Researchers agree that iPhone is the most secure consumer mobile device, and 
it is rare for any user to encounter malware on iPhone.5 Because iPhone provides 
users with powerful and multi-layered security protections, it is usual y not 
possible for cybercriminals and hackers to attack iOS devices at scale. Through 
the App Review process, Apple’s goal is to ensure that apps on the App Store 
are trustworthy and safe. Apple is constantly improving this process, continual y 
updating and refining App Review’s tools and methodology.
Forcing Apple to support sideloading on iOS through direct downloads or third-
party app stores would weaken these layers of security and expose all users to 
You can read Apple’s 
recent paper, "Building  
new and serious security risks: It would al ow harmful and il egitimate apps to 
a Trusted Ecosystem  
reach users more easily; it would undermine the features that give users control 
for Millions of Apps," 
over legitimate apps they download; and it would undermine iPhone on-device 
to learn more about how 
protections. Sideloading would be a step backwards for user security and privacy: 
Apple’s device protection 
and App Review keep 
Supporting sideloading on iOS devices would essential y turn them into “pocket 
your device safe.
PCs,” returning to the days of virus-riddled PCs.
First, if sideloading were supported, it would be easier for harmful apps 
to reach users.
 Direct downloads are unvetted, and the large amount of 
malware that proliferates on third-party app stores shows that those stores do 
not have sufficient vetting procedures to check for harmful apps. Users would 
now be responsible for determining whether sideloaded apps are safe, a very 
difficult task even for experts. Apple currently protects users by vetting apps 
and developers on the App Store, keeping il egitimate apps out, and quickly 
containing the spread of harmful apps. 
22

Malware: Sideloading would expose iOS users to apps that contain known strains 
of malware. App Review screens all apps and app updates submitted to the App 
Store to check for various types of known malware, including infected SDKs used 
in supply chain attacks. By contrast, known malware such as HiddenAds remains 
present on Android third-party app stores. (See above.)
Spoofing: If sideloading were supported on iOS, malicious actors would be able  
to distribute copycat versions of popular apps that trick users. On the App Store, 
apps come from known and vetted developers only, and their content is reviewed  
by a member of the App Review team. This process works to prevent, for example,  
a trojan app posing as a fake version of Clubhouse and stealing user login 
credentials. (See above.)
Illegal, pirated, and stolen content: Sideloading would expose users to apps  
with il egal content, such as il egal gambling apps, pirated apps, or apps containing 
stolen intel ectual property. They would be able to spread on the iOS platform 
unchecked via third-party sources. Apple checks all apps submitted to the App 
Store for il egal content prohibited by Apple’s policies. 
Unsafe apps targeted at children: Supporting downloads outside of the App 
Store would mean that parents may inadvertently sideload apps appearing to be 
kid-friendly but which actual y put their children at risk. App Store policies enforce 
strict guidelines around data col ection and security on apps in the Kids category. 
For example, these apps may not include links outside of the app, send personal y 
identifiable information to third parties, or contain third-party analytics  
or advertising. 
Unchecked spread of harmful apps: In the rare cases in which a fraudulent or 
malicious app makes it on the App Store, Apple can remove it immediately once 
discovered, thereby stopping its spread to more users. Apple also identifies and 
blocks variants of the original malware that cybercriminals try to repackage in other 
apps, limiting its ability to mutate and spread further. For example, XcodeGhost 
was a form of malware that spread through an infected version of Xcode (Apple’s 
environment for writing and compiling apps) that unsuspecting developers 
downloaded from a third-party website rather than from the Apple developers’ 
website.126 Because the infected apps were central y distributed through the App 
Store, Apple was able to swiftly work with cybersecurity firms to identify and remove 
them.127 A mechanism such as sideloading, without centralized review, would 
make it impossible to notify all impacted developers, and to control the spread of 
harmful apps, because removing them from the App Store would not prevent them 
from continuing to spread through third-party app stores and direct downloads. 
Researchers have found that when harmful apps are removed from an app store on 
the Android platform, malicious actors simply move them to alternative app stores.115
23

Second, if sideloading were supported on iOS, users may not get accurate 
information about apps they download via direct download or through third-
party app stores. Also, features that allow users to control what data apps are 
able to access would either not work, or would be much easier for malicious 
actors to manipulate.
 The App Store requires all developers to provide reliable 
information about apps, and Apple has designed many features that give users the 
ability to control what data apps are able to access. 
Permissions: App Review checks that the app doesn’t request access to sensitive 
permissions or data that are unnecessary for the app to function (for example, a 
weather app requesting access to the microphone or to health data). App Review 
also checks that apps do not make misleading or false claims when requesting 
permissions from users. If sideloading were supported, however, sideloaded apps 
would not have to be checked to see if they are improperly requesting and obtaining 
sensitive permissions and data, such as access to the device microphone or location 
data, regardless of whether this permission is needed for the app to function. 
Sideloaded apps may also attempt to trick users into granting permissions using 
manipulative or false messages.
Reliable information for users: On the App Store, app developers are required 
to submit a description of their app and its features, screenshots of the app, and 
privacy information explaining what kind of data the app links to users’ identities and 
whether that data is used to track them across third-party websites and apps. This 
ensures that users know what to expect when deciding whether to download an app 
and that they are not misled by malicious actors impersonating trusted developers. 
If sideloading were supported, users could not be sure that apps downloaded 
outside the App Store are what they expected to download, and they may not have 
information on the apps’ privacy practices.
Learn more about 
Privacy protections: Privacy is at the core of Apple’s ecosystem. All apps on the 
Apple’s privacy 
App Store need to get users’ permission before tracking them across third-party 
protections
apps or websites through the App Tracking Transparency feature. Sideloading would 
render this protection ineffective: While users could prevent sideloaded apps from 
accessing their Identifier for Advertisers (IDFA), sideloaded apps could access other 
device or user data, and their developers would not be required to abide by choices 
To learn more about how 
made by users to opt out of tracking. As a result, users’ data may be col ected 
the App Tracking Trans-
and shared without their permission. In addition, developers may have different 
parency and privacy labels 
on the App Store give you 
incentives, and may choose not to protect users’ data the same way that Apple does. 
control and transparency 
Some developers al ege that they have lost advertising revenue due to App Tracking 
on how apps collect and 
Transparency, and thus would have an incentive to sideload their apps specifical y to 
use your data, read "A Day 
bypass these privacy protections.128 Furthermore, some developers, including social 
in the Life of Your Data" 
and visit apple.com/
media platforms, have a history of abusing user privacy and safety, and have created 
privacy/control.
apps that violate App Store guidelines designed to protect iOS users.124,129
24

Parental controls: Apple has designed features that give parents control over 
how kids use iOS devices. Screen Time gives parents an understanding of the 
time kids spend using their devices, and al ows parents to limit the amount of 
time they can spend each day on certain apps and websites. The Ask to Buy 
feature al ows parents to approve or decline kids’ app downloads and purchases 
made via in-app purchasing, and has a 15-minute timeout to prevent subsequent 
purchases. Sideloading would weaken these parental control features, which 
could be easily bypassed by apps downloaded outside of the App Store. For 
instance, a game app could identify itself as an education app to evade Screen 
Time limits on game usage. And non-App Store purchases on sideloaded apps 
would not be control ed by Ask to Buy. 
Report a Problem: Apple provides features that al ow users to request refunds 
for some purchases from the App Store, as well as to report app privacy violations 
or safety issues. These features ensure that users have recourse if something 
goes wrong, such as being a victim of fraud or scams. Under sideloading, there 
would be no guarantee that third-party app stores would offer fair, clear, and 
consistent refund policies, or provide customer support in cases where there is  
a problem with an app.
Subscriptions: Apple’s subscription management tool al ows users to view all 
their paid subscriptions made through in-app purchases in a single place. Users 
can see how much and how often they will be charged for in-app subscriptions, 
and they can easily cancel them. With sideloading, many developers could 
choose to make their apps incompatible with these features, and make it 
confusing and time-consuming for users to cancel subscriptions. 
Final y, sideloading would undermine iPhone’s core on-device platform 
security protections.
 For security reasons, Apple restricts apps from accessing 
sensitive hardware elements (e.g., NFC chip, secure enclave, memory space, ultra 
wideband) and does not permit apps to use non-public operating system functions. 
Special entitlements – the right or privilege to use a sensitive service or technology 
– are granted selectively to apps that require access for a specific purpose. For 
example, the HealthKit entitlement determines whether an app may request user 
permission to access health and activity data. 
If Apple were forced to provide full access to proprietary hardware elements 
and non-public operating system functions, as some efforts to force sideloading 
on iOS would require, it would undermine core platform security features, such 
as the sandboxing of apps and the separation between apps and the operating 
system. The attack surface on iPhone would significantly expand, and fundamental 
security protections would be endangered. For example, under some proposals, 
the operating system would no longer be able to prevent apps from stealing or 
modifying data from another app, or accessing location data, the microphone, 
or the camera without user permission. 
25

Sideloading would make it easier and cheaper to execute many attacks that are 
currently difficult and costly to execute on iOS.
15 This would expand the universe 
of attack techniques present on iOS, the set of users that are targeted, and the 
number of cybercriminals. Supporting sideloading would lower the cost of carrying 
out attacks on iPhone, incentivizing malicious actors to develop tools and expertise 
to attack iPhone device security and privacy at an unprecedented scale. 
Cybercriminals and hackers would take advantage of the adtech industrial 
complex to reach their targets.
 They would use mobile ad networks to spread 
harmful apps to users by targeting them with ads to install sideloaded apps. Mobile 
ad networks earn bil ions of dol ars a year from ads for mobile app instal s, a practice 
that would likely expand to include ads for malicious apps distributed through 
sideloading.130,131 Cybercriminals already use ads on social media platforms to target 
users with malware for PC and many other types of scams.132,133,134 Users would 
face an onslaught of ads for malicious apps that these ad networks profit from and 
therefore have little incentive to police.135 Cybercriminals and hackers may also rely 
on social media networks to spread malicious apps through social engineering, 
exploiting people’s trust in their friends and family. As a result, users would bear the 
burden of determining what is safe to click on and download.
Even users who decide they don’t want to sideload, and prefer to download apps 
only from the App Store, would end up being harmed. 
They could be forced to 
sideload an app they need for work, for school, or for social inclusion if it is not made 
available on the App Store. Furthermore, cybercriminals and hackers may trick users 
into unknowingly sideloading an app by mimicking the appearance of the App Store, 
or by touting free or expanded access to services or exclusive features. 
If Apple were forced to support sideloading via direct downloads and through 
third-party app stores, iPhone users would have to constantly be on the lookout 
for scams, never sure whom or what to trust, and, as a result, users would 
download fewer apps from fewer developers.
 Developers themselves would 
become more vulnerable to threats from malicious actors who offer developer tools 
that contain and propagate malware. Developers would also be more vulnerable to 
piracy and intel ectual property theft, which would undermine their ability to get paid 
for their efforts and innovation.
26

Sideloading and iOS users
Supporting sideloading on iOS devices would harm iOS users, whose security, 
privacy, and personal data would be put at risk
 by the increased threat of 
attacks by malicious actors. iOS users store personal, valuable, or sensitive 
information on their mobile devices.136 Many iOS users use mobile banking and 
payment apps, and purchase goods and services on their devices.137 Employees 
also commonly connect to corporate networks on their mobile devices for work-
related tasks. App Store users come from all walks of life and all age groups, speak 
different languages, and live all over the world. But one thing they have in common 
is that they are all protected by the App Store safeguards.
Smartphone users have access to millions of apps, and download a large and 
increasing number of apps.
 In many countries, users have over 90 apps instal ed 
on their devices on average, and iOS users download almost 50 percent more apps 
than they did five years ago.138,139,140 Each sideloaded app could potential y pose a 
threat to the security and privacy of users’ devices and their personal data.
As a result, Apple’s security and privacy features are critical to protecting the 
hundreds of millions of iOS users.
 In fact, research shows that a majority of iOS 
users report that they have only some or no knowledge of cybersecurity issues, 
and do not change default security settings unless they run into specific issues.136 
Even among the small share of users with security expertise, when asked what 
they prioritize when making security choices, roughly as many chose convenience 
as chose security.136
By reviewing every app before it becomes available on the App Store to ensure it is 
free of malware and accurately represented to users, and by swiftly removing apps 
from distribution if they are found to be harmful and limiting the spread of future 
variants, Apple protects the security of the ecosystem and provides peace of mind 
to customers. Sideloading is not in the best interest of users. 
27

Guidance from security experts
Government and international agencies worldwide, as well as security 
experts and cybersecurity providers, widely caution users about the risks 
posed by downloading apps from third-party app stores:
“ Only install apps from 
“ Users should only download 
official app stores.” 
applications from Google 
“ Companies should only 
Play and not from third-party 
permit the installation of 
apps from official sources 

sources, to minimise the 
on those mobile devices 
that connect to the 

risk of instal ing a malicious 
enterprise network.”
application.” 
Europol147
European Agency for Cybersecurity141
“ [Sideloading] if done incorrectly 
could make a mobile device 
“ Users should avoid  
extremely vulnerable to attack.”
(and enterprises should 
National Institute of Standards  
and Technology (United States  
prohibit on their devices) 
Department of Commerce)144
sideloading of apps and 
the use of unauthorized 
“ One way to minimize danger 
app stores.” 
from third-party app stores 
Department of Homeland Security  
is to avoid them.”
(United States)143
Norton (cybersecurity provider)148
“ The majority of [third-party] app 
“Third party apps pose a 
stores don’t enforce rigorous 
security vetting of the apps they 

security threat to users 
offer, [and] this can make any 
device on which they have been 

who enable the instal ation 
installed particularly vulnerable 
of apps from unverified 
to threats.”
sources.” 
“ [Sideloading] should be forbidden 
in [a company’s] BYOD policy.”
Interpol and Kaspersky Lab142
Wandera (mobile security company)145,146
28

Sources
1. Nevil e, Ann, “Recent cyber-attacks and 
18. PurpleSec, “2021 Cyber Security 
35. Cohen, Jessica Kim, “Hackers 
the EU’s cybersecurity strategy for the 
Statistics: The Ultimate List Of Stats, Data 
taking advantage of COVID-19 to spread 
digital decade,” European Parliamentary 
& Trends,” 2021.
malware,” Modern Healthcare, March 16, 
Research Service, June 2021.
2020.
19. Ponemon Institute, “The Economic Risk 
2. Chebyshev, Victor, “Mobile Malware 
of Confidential Data on Mobile Devices in 
36. Wang, Liu, et al., “Beyond the Virus: A 
Evolution 2020,” Kaspersky, March 1, 2021.
the Workplace,” February 2016.
First Look at Coronavirus-themed Android 
Malware,” Empirical Software Engineering
3. Yablokov, Victor, “Why there’s no 
20. Holland, Jake, “T-Mobile Hit With Class 
Vol. 26, No. 82, June 12, 2021.
antivirus for iOS,” Kaspersky, September 
Action Suits After Consumer Data Breach,” 
10, 2018.
Bloomberg Law, August 20, 2021.
37. Chen, ZePeng, “Thousands of 
HiddenAds Trojan Apps Masquerade as 
4. Nokia, “Threat Intel igence Report 
21. Check Point, “Mobile Security Report 
Google Play Apps,” McAfee, March 3, 
2020,” 2020.
2021,” April 2021.
2020.
5. Nokia, “Threat Intel igence Report 
22. IBM, “Cost of a Data Breach Report 
38. Avast, “Avast Reports Continued 
2019,” 2019.
2021,” July 2021.
Dominance of Adware Among Android 
6. RSA, “2018 Current State of 
23. Sophos, “The State of Ransomware 
Threats,” June 16, 2021.
Cybercrime,” Del  Technologies, March 
2020,” May 2020.
39. Kaspersky, “What is Adware? – 
20, 2018.
24. Brown, Mike, “Android’s Piracy 
Definition and Explanation.”
7. Hautala, Laura, “Android malware tries 
Problem Is Forcing Developers To Give 
40. Malwarebytes, “Android/Trojan.
to trick you. Here’s how to spot it,” CNET
Away Games: ‘Alto’s Adventure’ Latest 
FakeAdsBlock.”
May 14, 2021.
Freebie,” International Business Times
February 11, 2016.
41. Dr. Web Anti-Virus, “Clicker Trojan 
8. Mitre ATT&CK, “Techniques: Deliver 
Instal ed from Google Play by Some 
Malicious App via Other Means,” February 
25. Koetsier, John, “The Mobile Economy 
102,000,000 Android Users,” August 8, 
9, 2021.
Has A $17.5B Leak: App Piracy,” Forbes
2019.
February 2, 2018.
9. Mitre ATT&CK, “Tactics: Initial Access,” 
42. Osborne, Charlie, “CopyCat Android 
January 27, 2020.
26. Vincent, James, “TikTok clone Zynn 
malware infected 14 million devices, rooted 
has now been removed from the iOS App 
10. Verizon, “2020 Data Breach 
8 mil ion last year,” ZDNet, July 7, 2017.
Store as wel ,” The Verge, June 16, 2020.
Investigations Report,” May 19, 2020.
43. Check Point, “How the CopyCat 
27. LeFebvre, Rob, “Apple pul s cloned 
11. Anderson, Sophie, “Antivirus and 
malware infected Android devices around 
games from App Store,” VentureBeat
Cybersecurity Statistics, Trends & Facts 
the world,” July 6, 2017.
February 7, 2012.
2021,” Safety Detectives, January 24, 
44. Schwartz, Jaime-Heather, “How 
2020.
28. Dong, Feng, et al., “FrauDroid: An 
to protect your Android phone from 
Accurate and Scalable Approach to 
12. Verger, Rob, “Your anti-virus software 
ransomware – plus a guide to removing it,” 
Automated Mobile Ad Fraud Detection,” 
is not enough,” Popular Science, July 7, 
Avira, August 13, 2020.
September 6, 2017.
2017.
45. Grustniy, Leonid, “Mobile beasts and 
29. La Porta, Liarna, “Trojan malware 
13. Huang, Keman, et al., “Systematically 
where to find them – part two,” Kaspersky
infecting 17 apps on the App Store,” 
Understanding the Cyber Attack Business: 
August 3, 2018.
Wandera, October 24, 2019.
A Survey,” ACM Computing Surveys, Vol. 
46. Hol and, Til y, “Ransomware Attacks: 
51, No. 4, July 2018, pp. 1-36.
30. Trend Micro, “Mobile Ad Fraud 
What You Need To Know,” Ontrack, March 
Schemes: How They Work, and How to 
14. Algarni, Abdul ah and Malaiya, 
7, 2019.
Defend Against Them,” April 26, 2019.
Yashwant, “Software Vulnerability Markets: 
47. PurpleSec, “2021 Ransomware 
Discoverers and Buyers,” World Academy 
31. Takahashi, Dean, “Adjust says mobile 
Statistics, Data, & Trends,” 2021.
of Science, Engineering and Technology 
ad fraud rates doubled in the past year,” 
International Journal of Computer and 
VentureBeat, May 10, 2018.
48. Nicholas, Sarah, “You Can Beat the 
Information Engineering, Vol. 8, No. 3, 
Latest Security Breaches,” Ameris Bank
2014, pp. 480-490.
32. Health Information National Trends 
July 19, 2021.
Survey, “On your tablet or smartphone, 
15. RiskIQ, “2020 Mobile App Threat 
do you have any software applications or 
49. Cyber Florida, “Research Shows a 
Landscape Report,” 2020.
apps related to health?,” National Cancer 
715% Increase in Ransomware Attacks 
Institute, 2020.
in 2020,” University of South Florida
16. Burkhalter, Max, “Why BYOD culture 
September 23, 2020.
poses a major risk to enterprises,” Perle
33. Firch, Jason, “10 Cyber Security 
April 6, 2020.
Trends You Can’t Ignore In 2021,” 
50. Ostroff, Caitlin and Vigna, Paul, “Why 
PurpleSec, April 29, 2021.
Hackers Use Bitcoin and Why It Is So 
17. Bitglass, “Mission Impossible: Securing 
Difficult to Trace,” Wal  Street Journal, July 
BYOD,” November 2018.
34. He, Terry, et al., “2021 Cyber Threat 
16, 2020.
Report,” SonicWal , 2021.
29

51. Stefanko, Lukas, “New ransomware 
68. National Cyber Security Centre, “Fake 
85. Yaswant, Aazim, “FlyTrap Android 
posing as COVID-19 tracing app targets 
‘missed parcel’ messages: advice on 
Malware Compromises Thousands of 
Canada; ESET offers decryptor,” 
avoiding banking malware,” August 19, 
Facebook Accounts,” Zimperium, August 
WeLiveSecurity by ESET, June 24, 2020.
2021.
9, 2021.
52. Seals, Tara, “Emerging Ransomware 
69. Finnish Transport and Communications 
86. Hazum, Aviran, et al., “New Wormable 
Targets Photos, Videos on Android 
Agency, “Android malware spread by 
Android Malware Spreads by Creating 
Devices,” Threatpost, June 24, 2020.
SMS,” July 15, 2021.
Auto-Replies to Messages in WhatsApp,” 
Check Point Research, April 7, 2021.
53. Emm, David, et al., “IT Threat Evolution 
70. Desai, Shivang, “SpyNote RAT posing 
in Q2 2016,” Kaspersky, 2016.
as Netflix app,” Zscaler, January 23, 2017.
87. Jama, Robleh, “The upside of copycat 
apps and how to deal with them if they get 
54. Kaspersky, “KSN Report: Ransomware 
71. Black, Daniel, “Hel oSpy App Review 
out of hand,” TheNextWeb, April 9, 2016.
in 2016-2017,” Kaspersky, 2017.
2021: Will the App Resume Its Work?,” 
mSpy, March 5, 2021.
88. Hinchliffe, Alex and Palo Alto 
55. Venkatesan, Dinesh, “Sophisticated 
Networks, “Techniques: Masquerade as 
new Android malware marks the latest 
72. Cox, Joseph, “I Tracked Myself With 
Legitimate Application,” Mitre ATT&CK
evolution of mobile ransomware,” 
$170 Smartphone Spyware that Anyone 
April 8, 2020.
Microsoft, October 8, 2020.
Can Buy,” Vice, February 22, 2017.
89. Peterson, Andrea, “Beware: New 
56. Whitwam, Ryan, “Microsoft Spots 
73. Kochetkova, Kate, “Mobile banking 
Android malware is ‘nearly impossible’ to 
Android Ransomware That Hijacks Your 
Trojans, explained,” Kaspersky, October 
remove,” The Washington Post, November 
Home Button,” ExtremeTech, October 9, 
14, 2016.
6, 2015.
2020.
74. Stefanko, Lukas, “Android Banking 
90. Trend Micro, “Malware in Apps’ 
57. Osborne, Charlie, “How to find and 
Malware: Sophisticated Trojans vs. Fake 
Clothing: A Look at Repackaged Apps,” 
remove spyware from your phone,” ZDNet
Banking Apps,” ESET, January 2019.
May 15, 2014.
August 9, 2021.
75. Owaida, Amer, “Beware Android trojan 
91. Toulas, Bil , “Researchers Found 164 
58. Kaspersky, “Avoiding Cel  Phone 
posing as Clubhouse app,” WeLiveSecurity 
‘Copycat’ Apps That Tricked 10 Mil ion 
Spyware Infestation.”
by ESET, March 18, 2021.
Users,” TechNadu, January 14, 2021.
59. Shatilin, Ilja, “Mobile beasts and 
76. ThreatFabric, “BlackRock – the Trojan 
92. Yaswant, Aazim, “New Advanced 
where to find them – part four,” Kaspersky
that wanted to get them al ,” ThreatFabric
Android Malware Posing as ‘System 
October 22, 2018.
July 2020.
Update’,” Zimperium, March 26, 2021.
60. Palmer, Danny, “AndroRAT: New 
77. O’Donnel , Lindsey, “Banking.BR 
93. European Union Agency for 
Android malware strain can hijack older 
Android Trojan Emerges in Credential-
Cybersecurity, “Phishing on the rise,” 
phones,” ZDNet, February 14, 2018.
Stealing Attacks,” Threatpost, April 21, 
October 12, 2017.
2020.
61. Federal Trade Commission, “FTC 
94. Eremin, Alexander, “People infected 
Brings First Case Against Developers of 
78. Asoltanei, Oana, et al., “Threat Actors 
with coronavirus are al  around you, says 
“Stalking” Apps,” October 22, 2019.
Use Mockups of Popular Apps to Spread 
Ginp Trojan,” Kaspersky, March 24, 2020.
Teabot and Flubot Malware on Android,” 
62. Federal Trade Commission, “FTC 
Bitdefender Labs, June 1, 2021.
95. Pak, ChanUng, “Phishing Android 
Bans SpyFone and CEO from Surveil ance 
Malware Targets Taxpayers in India,” 
Business and Orders Company to Delete 
79. Cleafy, “TeaBot: a new Android 
McAfee, September 3, 2021.
All Secretly Stolen Data,” September 1, 
malware emerged in Italy, targets banks in 
2021.
Europe,” May 31, 2021.
96. Malwarebytes, “What is a spoofing 
attack?”
63. Vaas, Lisa, “SpyFone & CEO Banned 
80. Cyware, “Exploring the Nature and 
From Stalkerware Biz,” Threatpost
Capabilities of Anubis Android Banking 
97. Fitriah, Andi, et al., “Understanding 
September 2, 2021.
Trojan,” January 25, 2020.
Android Financial Malware Attacks: 
Taxonomy, Characterization, and 
64. Citron, Daniel e Keats, “Spying Inc.,” 
81. Clark, Mitchel , “NSO’s Pegasus 
Challenges,” Journal of Cyber Security 
Washington and Lee Law Review, Vol. 72, 
spyware: here’s what we know,” The 
and Mobility, Vol. 7, No. 3, June 14, 2018, 
No. 3, June 1, 2015, pp. 1234-1282.
Verge, July 23, 2021.
pp. 1-52.
65. Securelist, “The State of Stalkerware in 
82. Whittaker, Zack, “A new NSO zero-
98. Kaspersky, “What is Scareware?,” 
2020,” Kaspersky, February 26, 2021.
click attack evades Apple’s iPhone 
Kaspersky.
security protections, says Citizen Lab,” 
66. Cybereason Nocturnus Team, 
TechCrunch, August 24, 2021.
99. Sims, Gary, “Exposé: Don’t fall victim 
“FakeSpy Masquerades as Postal Service 
to this dodgy anti-virus app,” Android 
Apps Around the World,” Cybereason, July 
83. NPR, “Malware From An Infamous 
Authority, February 5, 2014.
1, 2020.
Hacker-For-Hire Group Was Found On 
Nearly 900 Phones,” July 19, 2021.
100. Malwarebytes, “Mobile PUP,” June 
67. Almkias, Ofir, “FakeSpy,” Mitre 
9, 2016.
ATT&CK, October 6, 2020.
84. Infrascale, “Enterprise Ransomware 
Survival Guide,” May 25, 2016.
30

101. Satori Threat Intel igence and 
117. Smith, Chris, “Another crucial reason 
133. Newman, Lily Hay, “Facebook Shut 
Research Team, “Bringing Starchild Down 
why app developers prefer iOS to Android,” 
Down Malware That Hijacked Accounts to 
to Earth: Soraka SDK,” Human Security
BGR, February 4, 2016.
Run Ads,” Wired, October 1, 2020.
December 2019.
118. Kujawa, Adam, et al., “2020 State of 
134. McGuire, Michael, “The Web of Profit: 
102. Korolov, Maria, “Supply chain attacks 
Malware Report,” Malwarebytes, February 
Social Media Platforms and the Cybercrime 
show why you should be wary of third-
2020.
Economy,” Bromium, 2019.
party providers,” CSO from International 
Data Group, February 4, 2021.
119. N-Marandi, Sara, “What’s new in 
135. Rastogi, Vaibhav, et al., 
Android privacy,” Android Developers 
“Understanding In-App Ads and Detecting 
103. Android, “Android Security & Privacy 
Blog, May 18, 2021.
Hidden Attacks through the Mobile 
2018 Year In Review,” March 2019.
App-Web Interface,” IEEE Transactions 
120. Johnson, Kyle, “How do you block 
on Mobile Computing, Vol. 17, No. 11, 
104. Clayton, Richard, “Mobile Supply 
sideloaded app installation on iOS or 
November 1, 2018, pp. 2675-2688.
Chain Attacks Are More Than Just an 
Android?,” TechTarget, January 9, 2019.
Annoyance,” Check Point, 2019.
136. Breitinger, Frank, et al., “A survey 
121. Tee, Mike, “How to Install Apps 
on smartphone users’ security choices, 
105. He, Feixiang and Polkovnichenko, 
from Unknown Sources in Android,” 
awareness and education,” Elsevier: 
Andrey, “Operation Sheep: Pilfer-Analytics 
MakeTechEasier, February 16, 2020.
Computers & Security, Vol. 88, October 
SDK in Action,” Check Point, March 13, 2019.
122. Nickle, Robert, et al., “Lookout 
11, 2019.
106. Trend Micro, “Variant.”
Discovers New Spyware Used by 
137. Centre for International Governance 
Sextortionists to Blackmail iOS and Android 
107. Sen, Sevil, et al., “Coevolution of 
Innovation – Ipsos, “Global Survey on 
Users,” Lookout, December 16, 2020.
Mobile Malware and Anti-Malware,” IEEE 
Internet Security & Trust,” 2017.
Transactions on Information Forensics and 
123. Nel is, Stephen and Dave, Paresh, 
138. App Annie, "The State of Mobile," 
Security, Vol. 13, No. 10, October 2018, pp. 
“Software pirates use Apple tech to 
2019.
2563-2574.
put hacked apps on iPhones,” Reuters
February 13, 2019.
139. Nelson, Randy, “Store Intel igence: 
108. Australian Competition & 
Q1 2016 Data Digest,” Sensor Tower, April 
Consumer Commission, “Digital Platform 
124. Owen, Malcolm, “Apple has revoked 
18, 2016.
Services Inquiry: Interim Report – App 
Facebook’s enterprise developer 
Marketplaces,” March 2021.
certificates after sideload violations,” 
140. Sensor Tower, “Q4 2020 Store 
AppleInsider, January 30, 2019.
Intelligence Data Digest,” 2020.
109. Apple Developer, “App Store Review 
Guidelines.”
125. Axon, Samuel, “Apple revokes 
141. European Union Agency For 
Facebook’s developer certificate over 
Cybersecurity, “Vulnerabilities – 
110. Google Play Help, “Google Play 
data-snooping app—Google could be 
Separating Reality from Hype,” August 24, 
Protect keeps your apps safe and your data 
next,” Ars Technica, January 30, 2019.
2016.
private.”
126. Xiao, Claud, “Novel Malware 
142. Kaspersky and Interpol, “Mobile 
111. O’Donnel , Lindsey, “Google Play 
XcodeGhost Modifies Xcode, Infects Apple 
Cyber Threats,” October 2014.
Cracks Down on Malicious Apps,” 
iOS Apps and Hits App Store,” Palo Alto 
Threatpost, February 14, 2019.
Networks, September 17, 2015.
143. U.S. Department of Homeland 
Security, “Study on Mobile Device 
112. Mohan, Babu, “Google now takes 
127. Xiao, Claud, “More Details on the 
Security,” April 2017.
three days to approve new Play Store 
XcodeGhost Malware and Affected iOS 
apps,” Android Central, August 20, 2019.
Apps,” Palo Alto Networks, September 21, 
144. Franklin, Joshua M, et al., 
“Guidelines for Managing the Security of 
113. Apple, “App Store stopped more 
2015.
Mobile Devices in the Enterprise,” U.S. 
than $1.5 bil ion in potential y fraudulent 
128. Fischer, Sara, “Facebook says Apple’s 
Department of Commerce – National 
transactions in 2020,” May 11, 2021.
ad changes are hurting its business,” 
Institute of Standards and Technology
114. Guertin, Alec and Kotov, Vadim, “PHA 
Axios, September 22, 2021.
March 2020.
Family Highlights: Bread (and Friends),” 
129. Seetharaman, Deepa, “Facebook 
145. Urwin, Matt, “Top 5 Types of 
Google Security Blog, January 9, 2020.
Removes Data-Security App From Apple 
Sideloaded Apps and the Risks They Pose,” 
115. Shen, Yun, et al., “A Large-scale 
Store,” Wal  Street Journal, August 22, 
Wandera, December 19, 2018.
Temporal Measurement of Android 
2018.
146. Velzian, Becci, “How to Create a Bring 
Malicious Apps: Persistence, Migration, 
130. Rosenfelder, Shani, “Global app install 
Your Own Device (BYOD) Policy,” Wandera
and Lessons Learned,” Cornel  University: 
ad spend to double by 2022 to hit $118 
January 13, 2021.
Computer Science – Cryptography and 
billion,” AppsFlyer, February 13, 2020.
Security, August 10, 2021.
147. Europol, “Just a Game? Only instal  
131. Brown, Eileen, “Facebook leads app 
apps from official app stores,” European 
116. Lindorfer, Martina, et al., “AndRadar: 
install market share, but Google is rising 
Cybercrime Centre.
Fast Discovery of Android Applications 
fast,” ZDNet, October 19, 2018.
in Alternative Markets,” 11th Conference 
148. Gervais, Joe, “The risks of third-party 
on Detection of Intrusions and Malware & 
132. Whittaker, Zack, “Facebook ran ads 
app stores,” Norton, July 18, 2018.
Vulnerability Assessment, July 2014.
for a fake ‘Clubhouse for PC’ app planted 
with malware,” TechCrunch, April 8, 2021.
31

Document Outline