Black Friday shopping apps are a great way to find the hottest deals on holiday gifts, but if you’re not careful, they can also expose your credit card numbers and other personal data to theft.

According to a new study from the cybersecurity firm RiskIQ, one in 25 Black Friday apps is a scam. Instead of helping you save money, they're designed to trick you into revealing private information or downloading malware onto a phone or laptop.

In the eyes of cybercriminals, the start of the holiday shopping season is a great opportunity to expand their reach.

“It makes perfect sense that they’d use Black Friday,” says Mike Wyatt, RiskIQ’s director of product operations. “It’s one of the headline-grabbing shopping events of the year.”

RiskIQ, which specializes in digital threat management, conducted the study by identifying 4,356 shopping apps using a search for the term “Black Friday” in global app stores. It then compared the list with others that chronicle apps that are deemed unsafe to use.

The company discovered that about 4 percent of the Black Friday apps had been blacklisted as malicious, mostly sold in third-party app stores and not those operated by Apple or Google.

Other security experts contacted by Consumer Reports said RiskIQ's findings were not surprising.

"I'm only surprised that the percentage of malicious apps was that low," says Chester Wisniewski, a principal research scientist for the cybersecurity firm Sophos.

Go to Consumer Reports' 2018 Holiday Central for updates on deals, expert product reviews, insider tips on shopping, and much more.

There's no reliable way to track how much this type of fraud costs U.S. consumers and the economy, but security experts agree that it's a growing problem and that malicious apps are a somewhat new phenomenon under the broader heading of cyberfraud. 

In addition to requesting credit card information, the fake Black Friday apps frequently asked users to enter login information for email and social media sites, which in turn give hackers access to personal information such as maiden names and birth dates. Some of the apps contained malware that can lock a smartphone down until you agree to pay a ransom.

To avoid getting victimized by these scams, it's smart to stick with reputable shopping apps from developers such as FatWallet and DealNews. For a list of our favorites, read this.

And for more safety tips, see the list below.

How to Spot a Fake App

An image featuring the description of a fake Black Friday shopping app.
The description for this Black Friday app, flagged as fake by the RiskIQ study, is riddled with odd phrasing.
Photo: RiskIQ

Wyatt and Wisniewski offered the following advice to help you avoid malicious apps—Black Friday-themed and otherwise.

  • Download apps only from official stores. Apple and Google both have security measures to protect users from bad apps. And the vast majority of malicious Black Friday apps identified by RiskIQ were downloaded from third-party stores. That doesn't mean the screening processes at Apple and Google are foolproof; just that they offer extra protection.
  • Don't assume that an app linked to a popular retailer is safe. RiskIQ found that cybercriminals often used well-known brand names in the title or description of their fake Black Friday apps.
  • Look for misspellings and odd phrasing in the app's description. Sloppiness is a red flag, Wyatt says. If the app requests permission to track your location, access your personal information, or perform other tasks outside of its purview, that's a bad sign, too.
  • Do a spot check on the app's developer. If you don't recognize the name, do a Google search to see whether it's legit, RiskIQ recommends. Developers that use Gmail, Hotmail, and other free email services are often sketchy.
  • Don't trust the reviews. It's easy to forge good ones—even lots of good ones, Wyatt says.