A report into Android banking malware by ESET has found that simple-to-develop fake banking apps are highly effective against unsuspecting users, with victims seeing their bank accounts emptied after they are lured into providing their login credentials.

The report found two approaches to be the most popular types of Android banking malware found on the Google Play store: fake banking apps and Trojans.

The latter are highly sophisticated types of malware that hide within apps that appear to have nothing to do with banking, including battery managers, device cleaners and horoscope apps.

They work by dynamically targeting other apps installed on the user’s phone, impersonating these other apps on the fly to make users believe they are using their own banking apps.

However, they are highly complicated to make, and prompt permissions requests that can put off wary users.

As a result, ESET has found that fake banking apps are, in fact, more effective at scamming users, despite the fact that they are far less sophisticated from a technological perspective.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

How fake banking apps are duping Android users

Fake banking apps rely more on social engineering than clever technological tricks. They are designed to closely resemble the real thing on the Google Play store, with convincing-looking names, screenshots and descriptions.

In many cases, scammers choose to mimic banks for which no app yet exists, making their appearance as the genuine article more plausible to users.

In all cases, once the user downloads the app, they are presented with a legitimate looking login screen, where they are prompted to enter their banking details. And because they already believe the app is real, the vast majority of users do exactly that.

However, instead of seeing their bank details, users are instead presented with a confirmation message such as “Thank you” or “Congratulations”, at which point they app’s functionality ends. Meanwhile their bank details are sent to the scammers, who promptly use it to empty their bank account.

It’s an effective approach – and one that has largely been overlooked by the security community.

“Our analysis of the two types of banking malware – both of which have previously been discovered in the official Google Play store – has shown that the simple operation of fake banking apps comes with certain advantages that the feared banking Trojans don’t have,” said Lukáš Štefanko, ESET malware researcher.

“While banking Trojans have long been regarded as a serious threat to Android users, fake banking apps have sometimes been overlooked due to their limited capabilities. Despite not being technically advanced, we believe fake banking apps might be just as effective at emptying bank accounts as banking Trojans.”

How users can protect themselves

For users at risk of falling victim to such fake banking apps, ESET advises vigilance.

The company recommends that Android owners ensure they always run updates that become available, and use a mobile security solution from a trusted vendor for extra security.

They should also avoid unofficial app stores, which can be maximised by keeping the “installation of apps from unknown sources” option disabled on their smartphones.

Furthermore, users should always read the reviews and number of installs on an app they are considering downloading – as these can provide an indication that something is not right.

Finally, however, when it comes to banking and finance apps, users should only download those linked directly from trusted organisations’ websites.


Read more: Data breaches threaten customer trust in Open Banking