Everyone has an app, it seems. And it should come as little surprise that ISIS, or the Islamic State, also has its own app. Apps, really—and they're all installable on Android devices, which is much easier to deal with for sideloading apps than an iOS device.
According to a report from Motherboard, ISIS has at least six different mobile apps that interested parties can grab and install on their devices. You won't find these on the Google Play store, obviously, but it's not that difficult to pass an .apk around to a community of people through websites, emails, physical media, et cetera.
However, this unofficial distribution process makes it easier for others to host fake versions of apps and pass them around as if they were real. And that's exactly what's happening in the case of ISIS. Warnings are currently being issued that altered versions of these apps are floating around—a valuable means of intelligence for those that want to learn more about ISIS innerworkings, no doubt.
"Recently, a fake copy of al-Bayan broadcast, 'Amaq, and others were circulated. The publishing individual claimed that they are in several languages and it appeared that it aims for breaching, so we advise all supporters of the State of the Caliphate to count on the official channels while uploading these applications and verify the digital fingerprint for the application before starting it," reads one such warning, published to various ISIS social media channels and distributed by those who actually built (and host) some of ISIS' apps.
It's likely that ISIS will keep creating new apps and updating its existing apps regardless, and the threat of hijacked apps will just have to be in the background of supporters' minds when they go to install something new. We wager that not many people are looking at checksums to determine whether the .apk files they're installing are identical to the "real" .apk files that more official sources are putting out. That, unfortunately, is a common issue when there isn't really a centralized location to obtain these kinds of files—or, at least, not one that is guaranteed to remain online 100 percent of the time.
What we don't know is what group (or groups) is specifically trying to hijack ISIS' apps and what they plan to learn from doing so. Or, for that matter, if these attackers have more nefarious plans in mind: Sideloading malware onto supporters' devices instead of just trying to learn more about them (and possibly their account credentials for other services).