Cybercriminals are using third-party app sites to peddle reverse-engineered or ‘pirate’ versions of almost all the most popular paid apps available on the Google Play and Apple App Stores, software firm Arxan has discovered.

The firm uncovered this parallel app universe in a similar piece of research last year and for 2013 not much appears to have changed.

Looking at a total of 230 apps – the top 100 paid apps and top 15 free apps for Android and iOS – Arxan found that 100 percent of the top paid apps on Android and 56 percent on iOS were being impersonated in a compromised form on grey markets.

For free apps, the analysis found that 73 percent of Android apps in the top 15 existed in a bogus form on third-party stores, slightly worse than the 53 percent for iOS. Arxan also looked at popular financial apps, 20 from each platform, finding that a half of the Android samples existed as hacked versions with a quarter for Android.

“The widespread use of “cracked” apps represents a real and present danger given the explosion of smartphone and tablet use in the workplace and home,” said Arxan CTO, Kevin Morgan.

“Not only is IP theft costing software stakeholders millions of dollars every year, but unprotected apps are vulnerable to tampering: either through installed malware or through decompiling and reverse engineering – enabling hackers to analyze code and target core security or business logic that is protecting or enabling access to sensitive corporate data.”   

Important qualifications should be made when presenting this in terms of the real-world threat. In countries such as the US and UK, third-party stores (aside from dedicated stores such as Amazon’s) have a very small market presence. On iOS it is not possible to even use a third-party store unless the device has been jailbroken, which limits the numbers visiting them to a small fringe.

The vast majority of users are unlikely to ever encounter these pirate apps although is also true that Google doesn’t exactly have an unblemished record at keeping bogus knock-off apps out of its own store.

Still, Arxan had detected that some of the grey apps had been downloaded half a million times, most probably to smartphones in countries where third-party sites have a stronger cultural presence.

“[This] gives a sense of the magnitude of the problem especially as we embark upon a season of high consumer activity that will involve payment transactions, and consumption of products and services via the mobile endpoint,” said Morgan.

Arxan’s larger message is really for app developers themselves, which it said should resist reverse engineering by deploying code protection technology to defeat static and runtime attacks. Pirated apps depended on being able to replicate legitimate apps so this form of security was essential, he said.

“The challenge for greater mobile application security remains significant and core recommendations for improving mobile application security need to be integrated early in the application development lifecycle and made a key component of any mobile first strategy.”