By Nina Hendy
More than a thousand bank customers have unwittingly downloaded malicious banking apps impersonating legitimate ANZ and Commonwealth Bank apps from the Google Play store.
The fake apps appear to have gone undetected for weeks, phishing for credit card details and/or banking log-in credentials from unsuspecting bank customers.
A fraudster impersonated the Commonwealth Bank's app on Google Play.Credit: Josh Robenstone
Nick FitzGerald, senior research fellow at IT security company ESET, said the apps were installed more than 1000 times before it alerted Google two weeks ago. Google would not confirm the number of downloads.
How many Australians actually parted with their personal log-in credentials or credit card information is unknown.
ANZ confirmed a customer alerted it to a fraudulent app in June. “We worked closely with the Google Play team to have the app removed in a few hours,” a spokesperson said.
The fake apps as they appeared in the Google Play store.
CBA didn’t answer direct questions about this hoax, instead releasing a statement that said: “Once a suspicious app is identified, we work with the app store to ensure the app is quickly removed or disabled.”
Commonwealth-owned ASB, which operates in New Zealand, confirmed that two customers contacted the bank about the rogue app in May.
Banks in Britain, Switzerland and Poland were also caught up in the scam. Major European cryptocurrency exchange Bitpanda was also impersonated.
The fact that major banking institutions could be replicated and then allowed to trade on Google Play raises serious questions about the automated verification process used to authenticate new apps.
A Google spokeswoman said: “We remove applications that violate our policies, such as apps that are illegal or that promote hate speech. We don’t comment on individual applications; you can check out our policies for more information.”
ESET discovered the fake banking apps during routine checks conducted by researchers.
Mr FitzGerald said it was rare for fake banking apps to pass the automated Google Play tests and make it into the store.
Code similarities suggest the apps are the work of a single attacker, he said.
“This is a big concern for anyone who may have handed over personal information. The loss of personally identifiable information can result in financial fraud that may affect you for the rest of your life very negatively,” Mr FitzGerald said.
The fake apps requested credit card details or log-in credentials once launched. If users fill out the form, the submitted data was sent to the attacker’s service, he says.
The apps then presented victims with a “congratulations” or “thank you” message, which is where the app functionality ends, Mr FitzGerald said.
Google Play uses automated tests to legitimise new apps, he said.
This is a big concern for anyone who may have handed over personal information.
Nick FitzGerald, senior research fellow at ESET
“Apps with less functionality are deemed less risky and given these fake banking apps only asked consumers to log in and then asked for their credit card details, they seemed to have slipped through.
“The apps use obfuscation, which may have contributed to them slipping into the store undetected.”
The scam falls outside the Notifiable Data Breaches Act introduced in January this year because the banks were impersonated, not hacked.
- ANZ customers should contact their bank immediately if they believe they have downloaded a fake app on 1800 033 844.
- CBA customers can report suspicious apps on 13 2221.
- Consumers should also change their credit card pin codes, internet banking passwords and check bank accounts for suspicious activity. If there have been unusual transactions, contact your bank.
How to avoid falling victim to phishing and other fake financial apps
- Only trust mobile banking and other finance apps linked from the official website of your bank or financial service.
- Only download apps from Google Play. While this doesn’t ensure the app isn’t malicious, they aren’t as common and are removed immediately once uncovered.
- Pay attention to the number of downloads, app ratings and reviews when downloading apps.
- Only enter your sensitive information into online forms if you are sure of their security and legitimacy.
- Keep your smartphone updated and use a reliable mobile security solution.
Source: ESET Software researchers