A report into Android banking malware by ESET has found that simple-to-develop fake banking apps are highly effective against unsuspecting users, with victims seeing their bank accounts emptied after they are lured into providing their login credentials.

The report found two approaches to be the most popular types of Android banking malware found on the Google Play store: fake banking apps and Trojans.

The latter are highly sophisticated types of malware that hide within apps that appear to have nothing to do with banking, including battery managers, device cleaners and horoscope apps.

They work by dynamically targeting other apps installed on the user’s phone, impersonating these other apps on the fly to make users believe they are using their own banking apps.

However, they are highly complicated to make, and prompt permissions requests that can put off wary users.

As a result, ESET has found that fake banking apps are, in fact, more effective at scamming users, despite the fact that they are far less sophisticated from a technological perspective.

How fake banking apps are duping Android users

Fake banking apps rely more on social engineering than clever technological tricks. They are designed to closely resemble the real thing on the Google Play store, with convincing-looking names, screenshots and descriptions.

In many cases, scammers choose to mimic banks for which no app yet exists, making their appearance as the genuine article more plausible to users.

In all cases, once the user downloads the app, they are presented with a legitimate looking login screen, where they are prompted to enter their banking details. And because they already believe the app is real, the vast majority of users do exactly that.

However, instead of seeing their bank details, users are instead presented with a confirmation message such as “Thank you” or “Congratulations”, at which point they app’s functionality ends. Meanwhile their bank details are sent to the scammers, who promptly use it to empty their bank account.

It’s an effective approach – and one that has largely been overlooked by the security community.

“Our analysis of the two types of banking malware – both of which have previously been discovered in the official Google Play store – has shown that the simple operation of fake banking apps comes with certain advantages that the feared banking Trojans don’t have,” said Lukáš Štefanko, ESET malware researcher.

“While banking Trojans have long been regarded as a serious threat to Android users, fake banking apps have sometimes been overlooked due to their limited capabilities. Despite not being technically advanced, we believe fake banking apps might be just as effective at emptying bank accounts as banking Trojans.”

How users can protect themselves

For users at risk of falling victim to such fake banking apps, ESET advises vigilance.

The company recommends that Android owners ensure they always run updates that become available, and use a mobile security solution from a trusted vendor for extra security.

They should also avoid unofficial app stores, which can be maximised by keeping the “installation of apps from unknown sources” option disabled on their smartphones.

Furthermore, users should always read the reviews and number of installs on an app they are considering downloading – as these can provide an indication that something is not right.

Finally, however, when it comes to banking and finance apps, users should only download those linked directly from trusted organisations’ websites.

Read more: Data breaches threaten customer trust in Open Banking