Light Dark
August 1, 2018 By David Bisson 2 min read

Three fake Android banking apps phished for users’ credit card details and then leaked them online by transferring them to an exposed server.

On July 26, 2018, Slovakian security firm ESET reported that it notified Google about the three fake banking apps that were uploaded to the Google Play Store in June and July 2018. Each of the impostor programs promised to increase users’ credit card limits at one of three Indian banks and presented users with a form to supposedly collect their credit card information.

Upon completing the forms, the apps directed users to a final screen indicating that a “customer service executive” would be in touch soon. Instead, the applications sent users’ information in plaintext to a server where anyone with a link — not just the attackers — could access the saved data.

Fake Android Banking Apps Exploit Common Mobile Security Weaknesses

This campaign highlights attackers’ ongoing interest in mobile banking, which has given rise to a host of new security threats. First, fraudsters are now targeting users with fake mobile banking apps — and users often can’t distinguish between real and potentially malicious programs. According to Avast, 36 percent of users have mistaken fraudulent banking applications as legitimate.

At the same time, banks’ legitimate mobile applications often suffer from security weaknesses themselves. For instance, researchers at the University of Birmingham in the U.K. discovered in December 2017 that even some “high-security” banking, stock trading, cryptocurrency and virtual private network (VPN) applications were susceptible to man-in-the-middle (MitM) attacks due to failure to verify the hostname.

How Can Organizations Stave Off Mobile Banking Threats?

Security professionals should adopt a multipronged approach to defend their organizations against the threat of fake mobile banking apps. IBM experts recommend investing in mobile threat prevention (MTP) solutions, as well as a mobile device management (MDM) platform that allows access to only certain approved applications.

Security leaders can also protect Android devices from fraudulent apps by implementing unified endpoint management (UEM) and over-the-air (OTA) support.

Sources: WeLiveSecurity, Avast, University of Birmingham

 |  |  |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

May 1, 2024

New proposed federal data privacy law suggests big changes

3 min read - After years of work and unsuccessful attempts at legislation, a draft of a federal data privacy law was recently released. The United States House Committee on Energy and Commerce released the American Privacy Rights Act on April 7, 2024. Several issues stood in the way of passing legislation in the past, such as whether states could issue tougher rules and if individuals could sue companies for privacy violations. With the American Privacy Rights Act of 2024, the U.S. government established…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature