ShadowMap Docs

Appearance

Fake Applications

Fake Applications surfaces mobile apps published to the Google Play Store and Apple App Store that match your organization's brand, name, or developer identity but are not yours. These are the rogue, cloned, repackaged, or impersonating apps adversaries use to harvest credentials, distribute malware, intercept OTPs, or simply ride on your brand's reputation. The page is your triage queue: confirm what is genuinely yours, and flag what is not for review or takedown.

Overview

Fake Applications

The page lives under Brand Protection → Fake Applications and opens on two store tabs:

  • Play Store ( N ) — fake Android apps matched to your brand, with the open count in parentheses.
  • App Store ( N ) — fake iOS apps matched to your brand, with the open count in parentheses.

Each tab renders the open triage workload as a list of app cards. A card shows the app icon, title, developer or app identifier, version, genre, store rating, download count, and app size, plus the organization (brand) the app was matched against. From the card you can open the app's live store listing, mark it as genuine (if it really is yours), or leave a comment for your team. A Download button in the page header exports the current store's fake-app list to Excel.

The count in each tab badge is the number of open fake apps for that store — newly detected apps plus apps with a takedown already requested. Apps you confirm as genuine, or that have completed takedown, drop out of this view (see How it works).

Where this fits

Fake Applications is the brand-protection lens on mobile apps. It shares its data and backend with the attack-surface Mobile Applications inventory: the same scanned app records are surfaced here, filtered down to the ones that are not yours and still open. Confirming an app as genuine flips its record to Genuine Apps so it no longer surfaces as a fake.

How it works

The mechanics below are not visible from the UI but determine exactly what you see and what each action does.

How apps are discovered and matched

ShadowMap continuously searches the Play Store and App Store using your organization's brand keywords, names, and developer identifiers. Every matching app is scanned and stored as a mobile application record tagged to the organization (brand) it matched. An app appears in Fake Applications when it matched your brand but has not been confirmed as one of your own. Each record carries the store it came from, its store metadata (title, version, genre, rating, install count, size, developer e-mail, description, icon, live URL), and the brand organization(s) it was matched against — shown as tags on the card.

What "open" means — the status model

Every app record has an internal status (is_genuine) that decides whether it shows up here. There are five states:

StatusMeaning
OnlineNewly detected fake app, live and untriaged. This is the default state for a freshly found impersonating app.
Requested TakedownA takedown has been requested for this app and is in flight.
Genuine AppsAn analyst confirmed the app is legitimately yours (or your authorized partner's). It is no longer a fake.
ReviewedAn analyst triaged the app and dismissed it from the open queue without confirming it as genuine.
Takedown CompletedThe takedown succeeded and the app was removed from the store.

The Fake Applications tabs show only the open triage workload: apps that are Online or Requested Takedown, plus any app that has not yet been assigned a status. Genuine, Reviewed, and Takedown-Completed apps are excluded — they are settled triage, not open work.

One definition of "fake," used everywhere

This same open-workload definition (Online + Requested Takedown) feeds the Brand Protection overview KPI card, the activity feed, and these store tabs. They are wired to a single shared predicate, so a "New Fake Application found" feed item is always reflected in the KPI count and appears in the list here — the three views can never disagree.

What the list is scoped to

Each store tab loads the open fake apps for that store — the same open set the tab badge counts. The list is scoped to a single store at a time (Play Store or App Store), determined by which tab you are on, and is ordered by developer identifier. Marking an app genuine removes it from the list and decrements that store's tab count in place.

Genre, rating, installs, and size

App metadata is normalized per store:

  • Genre comes from an indexed genre value on the record, falling back to the store's category field (Play Store category ID or App Store primary genre) when needed.
  • Rating is the store's average star score (Play Store score text or App Store score), rendered to one decimal with a star icon.
  • Downloads is the human-readable install count. This is populated for Play Store apps; the App Store does not expose install counts, so it is typically blank for iOS apps.
  • Size is the app's download size — shown as reported for Play Store apps, and formatted from bytes for App Store apps. Shows N/A when the store does not provide it.

These figures come straight from the store listing and are useful triage signals — a "banking" app with a handful of downloads, a generic developer e-mail, and a recent publish date is a far stronger impersonation candidate than an established, high-install app.

Understanding the card

Each app is a card. The fields shown:

FieldWhat it tells you
IconThe app's store icon — useful for spotting visual brand mimicry.
TitleThe app's display name on the store.
Developer IDThe publishing developer's identifier. A developer that is not yours publishing under your brand is a strong fake signal.
VersionThe current published version of the app.
GenreThe store category the app is listed under.
Brand tag(s)The organization(s) in your account the app was matched against.
RatingThe store's star rating for the app.
DownloadsInstall count (Play Store).
SizeApp download size.
UpdatedWhen ShadowMap last updated this record, shown as a relative time.

Play Store vs. App Store differences

The two stores expose different metadata. Play Store cards carry a real install count; App Store cards generally have no install figure. Both show the developer identifier, rating, size, genre, and the live store URL.

Taking action

The actions available directly on a Fake Applications card are deliberately narrow — this view is for confirming ownership and flagging, not full takedown management.

Visit the store listing

Click Visit Play Store / Visit App Store on the card to open the live store page in a new tab so you can verify the impersonation yourself.

Mark Genuine

If the app really is yours (or an authorized partner's), click Mark Genuine. This:

  • Moves the app to Genuine Apps status, removing it from the fake queue immediately.
  • Decrements the store tab's open count in real time.

Mark Genuine is a triage decision

Marking an app genuine takes it out of the open fake queue. Only confirm apps you have verified are legitimately yours — once genuine, the app no longer surfaces as a fake here.

Bulk mark genuine

Use the in-card select control to check multiple apps. A bulk action bar appears showing the number selected, with Mark Genuine (applies the action to all selected apps) and Clear (deselect all). This is the fast path when a scan returns several of your own legitimate apps in one batch.

Comment

Each card has a Comment affordance for leaving notes for your team — for example, why an app was dismissed or escalated. Comments support reusable templates configured for mobile applications.

Export

Click Download in the page header to export the current store's fake apps to Excel. The export runs as a background task: a progress toaster appears, and when the file is ready a Download button surfaces in the toaster to save the .xlsx. The filename is prefixed fake_mobile_applications_export.

Takedowns are managed centrally

Requesting and tracking app takedowns (the Requested Takedown and Takedown Completed states) is driven from ShadowMap's takedown workflow rather than from a button on this page. Requesting a takedown for an app marks it as a confirmed fake and moves it into the open "Requested Takedown" state. See Takedowns and the takedowns dashboard at Takedowns.

Common questions

Why is an app I know is mine showing up as fake? Discovery matches on your brand keywords and names, so your own apps surface here until someone confirms them. Click Mark Genuine to move the app to Genuine Apps status — it will no longer appear in the fake queue.

An app left the list right after I acted on it — where did it go? Marking an app genuine (or requesting its takedown) removes it from the open queue immediately and decrements the tab count. Genuine apps move to Genuine Apps status; takedown-requested apps move to the in-flight Requested Takedown state tracked in the takedowns workflow.

Why is the Downloads field empty for an iOS app? The Apple App Store does not publish install counts, so the Downloads stat is blank for App Store apps. Use rating, version, developer identity, and publish recency as your triage signals instead.

Can I request a takedown from this page? Not directly. This page is for confirming ownership (Mark Genuine), commenting, and exporting. Takedown requests are submitted and tracked through ShadowMap's takedown workflow; once requested, the app appears in the open queue as Requested Takedown and in the takedowns dashboard.

Who can mark apps genuine? Marking an app genuine writes a status change, so it requires mobile-applications write access. Members without write permission on the module cannot perform this action. See Roles and permissions.

ShadowMap - External Attack Surface Management

Copyright (c) Security Brigade