February 15, 2019

Fake banking apps luring Android users into giving away the keys to their cash

By Lucy Ingham

A report into Android banking malware by ESET has found that simple-to-develop fake banking apps are highly effective against unsuspecting users, with victims seeing their bank accounts emptied after they are lured into providing their login credentials.

The report found two approaches to be the most popular types of Android banking malware found on the Google Play store: fake banking apps and Trojans.

The latter are highly sophisticated types of malware that hide within apps that appear to have nothing to do with banking, including battery managers, device cleaners and horoscope apps.

They work by dynamically targeting other apps installed on the user’s phone, impersonating these other apps on the fly to make users believe they are using their own banking apps.

However, they are highly complicated to make, and prompt permissions requests that can put off wary users.

As a result, ESET has found that fake banking apps are, in fact, more effective at scamming users, despite the fact that they are far less sophisticated from a technological perspective.

How fake banking apps are duping Android users

Fake banking apps rely more on social engineering than clever technological tricks. They are designed to closely resemble the real thing on the Google Play store, with convincing-looking names, screenshots and descriptions.

In many cases, scammers choose to mimic banks for which no app yet exists, making their appearance as the genuine article more plausible to users.

In all cases, once the user downloads the app, they are presented with a legitimate looking login screen, where they are prompted to enter their banking details. And because they already believe the app is real, the vast majority of users do exactly that.

However, instead of seeing their bank details, users are instead presented with a confirmation message such as “Thank you” or “Congratulations”, at which point they app’s functionality ends. Meanwhile their bank details are sent to the scammers, who promptly use it to empty their bank account.

It’s an effective approach – and one that has largely been overlooked by the security community.

“Our analysis of the two types of banking malware – both of which have previously been discovered in the official Google Play store – has shown that the simple operation of fake banking apps comes with certain advantages that the feared banking Trojans don’t have,” said Lukáš Štefanko, ESET malware researcher.

“While banking Trojans have long been regarded as a serious threat to Android users, fake banking apps have sometimes been overlooked due to their limited capabilities. Despite not being technically advanced, we believe fake banking apps might be just as effective at emptying bank accounts as banking Trojans.”

How users can protect themselves

For users at risk of falling victim to such fake banking apps, ESET advises vigilance.

The company recommends that Android owners ensure they always run updates that become available, and use a mobile security solution from a trusted vendor for extra security.

They should also avoid unofficial app stores, which can be maximised by keeping the “installation of apps from unknown sources” option disabled on their smartphones.

Furthermore, users should always read the reviews and number of installs on an app they are considering downloading – as these can provide an indication that something is not right.

Finally, however, when it comes to banking and finance apps, users should only download those linked directly from trusted organisations’ websites.

Read more: Data breaches threaten customer trust in Open Banking

Verdict deals analysis methodology

This analysis considers only announced and completed deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: