At least 4 percent of all Black Friday-themed apps are malicious, stealing login credentials and credit card details instead of holiday shopping help.

That’s according to research from digital threat management firm RiskIQ Inc., which warned shoppers to be careful ahead of the biggest retail day of the year coming Nov. 24.

The research involved running keyword queries through RiskIQ’s Global Blacklist and mobile app database. The company looked for instances where the brand names of five leading online retailers in the United States appeared alongside the term “Black Friday” in blacklisted URLs or “cause page” URLs, which send users to a page hosting something malicious.

The results were deeply disturbing, with the researchers finding that one in 25 apps promoting the day were fake. Each of the top five brands was found to have at least 15 malicious apps available that use their branding alongside the term “Black Friday,” for a combined total of more than 1,451 blacklisted URLs linked to spam, malware and phishing.

Not stopping there, the researchers then investigated the number of fake apps targeting the top five online retailers generally, not just Black Friday-themed, finding a staggering 32,000 malicious apps.

“Last year, consumers spent $9.36 billion online over the four-day Black Friday weekend, of which $1.2 billion was driven by mobile shopping,” RiskIQ said in a statement. “If online retail sales grow at 2016’s year-over-year rate of 16.4 percent, some $10.8 billion in 2017 holiday shopping revenues could be at risk of diversion and theft. Similarly, $1.6 billion in mobile retail sales could be compromised by year-end if 2016’s 33 percent year-over-year growth rate continues.”

RiskIQ said that although buyers should be aware of the risks, online retailers need to do more as well and “should heed the wake-up call” to protect their reputation better and extend that protection to their consumers.

“With online fraud, data leakage, and ransomware on the rise, online retailers have ample reason to redouble their focus on how their brands are being used fraudulently by external threat actors across the internet and global mobile app ecosystem to target their customers,” the researchers added.

Photo: diariocriticove/Flickr