Tax season is once again upon us and, with it, a dozen scams looking to part you and your hard-earned money.
But with a startling one in four Americans losing money to online tax scams and half of all iOS and Android apps identified as “having a high-security risk” — we really need to talk about safety. However you feel about paying taxes, the worse outcome is sending your dollars and personal information directly to a cybercriminal’s pocket.
Techopedia sat with cybersecurity and accounting experts to shed light on the dangers of fake tax apps, break down malware tech, find the red flags, and help taxpayers secure their operations.
Key Takeaways
- While phishing attacks still dominate tax season cybercrime statistics, fake tax apps are emerging, posing potential risks to taxpayers.
- Cybercriminals are distributing fake tax apps to steal money and phish out personal data.
- While official Google and Apple app stores offer security, some malicious apps can slip through the guardrails.
- Learn from experts how and why criminals reverse engineer legitimate apps to impersonate trusted organizations and popular tax service applications.
The Alarming Rate of Malicious Tax Apps and Crime
A recent McAfee report found that one in every four taxpayers in the U.S. loses money to online tax scams. In February 2024 alone, McAfee blocked over one million malicious, tax-related URL attacks.
As tax filing deadlines approach, taxpayers face numerous challenges. More than half (54%) say they find it hard to differentiate scams from legitimate messages, and only 49% of Americans are confident that they can identify deepfake videos or artificial intelligence-created audio by criminals attempting to impersonate IRS agents or tax authorities.
How Attackers Are Reverse Engineering Legitimate Tax Apps
While most of the tax scams involve phishing and victims clicking on links sent via messages, cybercriminals are also reverse engineering legitimate tax apps to trick users in new ways.
Krishna Vishnubhotla, Vice President of Product Strategy at Zimperium, a mobile security platform purpose-built for enterprise environments, spoke about this reverse engineering criminal trend.
Vishnubhotla explained that by using software they can convert the binary back into human-readable source code for analysis.
“An attacker only needs to install these on their laptop. They would then download the app of interest onto their specially equipped mobile devices to obtain the app binary and upload it to the tool.
“During the analysis, attackers may extract sensitive data embedded in the app, such as API keys, credentials, or URLs to backend services, which can be used to gain unauthorized access or to impersonate the app in phishing attacks.”
Once criminals understand the app’s structure,, they can modify it to include malicious code. Then attackers repackage the app as a fake app.
“The fake app looks and functions similarly to the original but contains malicious functionalities aimed at stealing personal or financial information. For $150 and 10 minutes, they can get their hands on the source code that costs an enterprise nine months and a million dollars to develop.”
Weaponizing Tax Apps Features
The IRS warns that thousands of Americans have lost millions of dollars and their personal information to tax scams.
Scott Goodwin, Director of Cybersecurity and Privacy Advisory at PKF O’Connor Davies — an accounting and advisory practice — said that attackers can reverse engineer an app to understand how it works and to weaponize it.
Goodwin said that some tax app features, such as E-Filing services, have potential for criminals. “Depending on the technologies used to build and secure the legitimate application, it may be possible to extract credentials or other information required to support the app’s functionality, for example, an API token used to communicate with a backend E-Filing service,” Goodwin said.
“Additionally, the attacker will identify precisely what aspects of the app can be weaponized to steal personal information, maliciously modify banking details to reroute payments, or further infect the mobile device.”
Criminals can also obtain all the information required to create an almost identical app by reverse engineering and gaining access to legitimate tax app images, styling, and branding information.
Tyler Moffitt, Senior Security Analyst, Community Manager at OpenText, an information management company thart helps organizations securely capture, govern, and exchange information on a global scale — broke down the technical aspects of reverse engineering.
“This process involves using tools like IDA Pro, Ghidra, or apktool (reverse engineering for Android apps) to analyze the app’s binaries,” Moffitt said.
“By doing so, attackers can understand the app’s functionality, identify vulnerabilities, or extract sensitive information, such as API keys or cryptographic algorithms.”
The Fake Tax App Black Market & Reasons Why It Thrives
Vishnubhotla shared with Techopedia research from Zimperium on popular tax apps.
Vishnubhotla said 30% of iOS apps were identified as having a high-security risk, and 80% of Android apps were identified as having a high-security risk.
Zimperium research also found five common mistakes that tax app developers are making.
- The app lets web scripts access its internal functions, which can be misused.
- The app can run powerful commands that, if misused, especially on rooted devices, could give attackers control over the device.
- The app allows running web scripts that could be harmful if tampered with.
- The app uses hidden permissions, allowing malicious apps to exploit its features.
- The app can download new code from the internet, risking unwanted changes or malicious updates.
He suggested:
“Since teams are more motivated to release fast than secure the app, they do the bare minimum regarding security.”
Fake Apps in Official App Stores
Inevitably, as digitalization becomes mainstream around the world, trojan fake apps are surging. It is hard to estimate the percentage of fake and malicious apps hosted in official app stores such as Apple App Store or Google Play because cybersecurity is a dynamic field.
In 2023, Apple revealed that it prevented over $2 billion in potentially fraudulent transactions through its app store, and rejected over 1.7 million app submissions in one year for failing to meet the App Store’s high standards for privacy, security, and content. This number seems to be the tip of the iceberg.
Despite companies’ efforts and policies to ensure all apps hosted in official app stores are legitimate, cybercriminals often bypass these guardrails momentarily, for a couple of months, until Google or Apple removes them from the app store.
“If mobile applications are obtained from official app stores, end users can offload some (but not all) of this risk to the application store provider, as both Apple and Google have already performed a level of security-focused due diligence against the applications they support and provide for download,” Godwin explained.
“However, there have been numerous examples of malicious applications ‘sneaking’ onto these trusted app stores, and therefore the risk associated with app installation can never be completely eliminated.”
Red Flags to Look Out For
Experts shared with Techopedia the top red flags that users should be aware of. “From an end user’s perspective, we assume that clicking the File My Taxes button will actually send our information to the appropriate authorities, when in reality, this action might send your information to a system controlled by the bad actor,” Goodwin from PKF O’Connor Davies said.
“Users should be suspicious of any mobile permissions requested by the app and should always ask themselves, for example, “Why would a tax application request access to other files stored on my mobile device?”
Using malicious Application Programming Interfaces (APIs) integrated into fake tax apps, cybercriminals can receive and transmit data from and to the victim’s device.
“An API is nothing more than a mechanism for an app to communicate back and forth with a third-party or external resource (i.e., an E-Filing system),” Goodwin said.
“If a bad actor has generated or obtained the credentials (e.g., password, API token, etc.) necessary to communicate with a third-party API, there is essentially nothing stopping them from using that API to perform two-way communication.”
Vishnubhotla from Zimperium spoke about other red flags linked to fake tax apps.
“When an app requests payment through unconventional methods such as gift cards, wire transfers, or cryptocurrencies — be cautious.
“Excessive permissions are a huge red flag.”
Vishnubhotla said that observing unusual behavior after installation is hard because this type of malware is “good at hiding its activity”.
“But pay attention to any unusual activity,” Vishnubhotla said.
Moffitt of OpenText said other red flags include poor user reviews. “Legitimate apps usually have numerous positive reviews.”
He added that sideloading apps, inconsistencies in the user interface, developers’ credibility, and a recent app upload date, are all signs that should raise suspicion.
The Bottom Line
Tax season isn’t just prime time for phishing email, phone, or SMS scams and frauds. Fake tax apps, a new and growing criminal trend, are rising to the occasion to target more users.
The reason why fake apps are popular is simple. While phishing gives cybercriminals a limited number of potential victims, fake apps that impersonate real trusted organizations allow hackers to dramatically expand their reach and cast a wider net.
Companies such as Apple and Google continually strive to remove fake apps from their official app stores, but they struggle to keep up with the alarming cybercriminal pace and often take weeks or months before they can shut down a criminal app operation.
Once again, users are left holding the bag and are forced to become the guardians of their security.
The good news is that taxpayers don’t have to be cybersecurity experts to protect themselves from fake tax apps.
Knowing and applying best security practices and being familiar with cybercriminal techniques and the red flags can go a long way in this tax season.