Another set of fake finance apps has found its way into the official Google Play store. This time, the apps have impersonated six banks from New Zealand and Australia (CommBank, ANZ, ASB Bank), the United Kingdom (TSB Bank), Switzerland (PostFinance) and Poland (Santander Bank Polska SA), and the Austrian cryptocurrency exchange Bitpanda. Using bogus forms, the malicious fakes phish for credit card details and/or login credentials to the services.
The malicious fakes were uploaded to Google Play in June 2018 and were installed more than a thousand times before being taken down by Google. The apps were uploaded under different developer names, each using a different guise, but code similarities suggest the apps are the work of a single attacker.
How do the apps operate?
While the apps don’t follow one common procedure, upon launch they all display forms requesting credit card details and/or login credentials to the targeted bank or service. If users fill out such a form, the submitted data is sent to the attacker’s server. The apps then present their victims with a “Congratulations” or “Thank you” message, which is where their functionality ends.
How to stay safe?
If you suspect that you have installed and used one of these malicious apps, we advise you to uninstall it immediately.
Also, change your credit card PIN codes as well as internet banking passwords and check your bank accounts for suspicious activity. If there have been unusual transactions, contact your bank. Users of the Bitpanda cryptocurrency exchange who think they have installed the fake mobile app are advised to check their accounts for suspicious activity and change their passwords.
To avoid falling victim to phishing and other fake financial apps, we recommend that you:
Only trust mobile banking and other finance apps if they are linked from the official website of your bank or the financial service
Only download apps from Google Play; this does not ensure the app is not malicious, but apps like these are much more common on third-party app stores and are rarely removed once uncovered, unlike on Google Play
Pay attention to the number of downloads, app ratings and reviews when downloading apps from Google Play
Only enter your sensitive information into online forms if you are sure of their security and legitimacy
Keep your Android device updated and use a reliable mobile security solution; ESET products detect and block these malicious apps as Android/Spy.Banker.AIF, Android/Spy.Banker.AIE and Android/Spy.Banker.AIP
For more details and screenshots of the attacks, see ESET Ireland’s official blog post.