January 27, 2010
Recently, there has been a strong concern surrounding third-party mobile banking applications. A developer named Droidheaven released a Wells Fargo mobile banking app in mid-December. Droidheaven also has a large number of other applications in the market Market, mostly Android themes.
After performing static and network analysis, our research team determined that that the Droidheaven application was not doing anything actively malicious; however, we continue to warn users to be extremely cautious of third-party mobile banking applications. We’ve found that the application only contains boiler-plate webview functionality pointing to Wells Fargo’s mobile web site. Additionally, the application only requests “Network communication” permissions, preventing it from performing actions typical of malware such as stealing contacts or trying to spread to people on your contact list.
There are several reasons why untrusted third-party mobile banking applications are risky:
- These apps could contain malicious code that steals your bank account info and password as soon as you type it in—all of this information is easily available to the application developer.
- You also have no way of knowing whether you are being directed to a legitimate mobile banking site or a phishing site designed to look identical. On the standard browser, you can check to see whether the URL is correct and that the connection is encrypted with an appropriate certificate. In a third party banking application, however, you can’t trust any indicators (if they exist), as those indicators can be set to display false information specified by the application’s developer.
- Applications that do nothing malicious today can easily be updated with a malicious version.
If your bank does not provide a mobile banking application, it’s easy to create a shortcut icon on your home screen that links to your bank’s mobile website.
Read on to see how to create a safe, mobile banking bookmark on your home screen.
January 11, 2010
Mobile application marketplaces are a bazaar. They allow freedom for any developer to make his or her ware—legitimate or otherwise—available to the world. Because apps created by Barclays and Bank of America are located on the same virtual shelf as apps from one-person shops from throughout the world, marketplaces act as a great equalizer, granting the same algorithmic treatment to all. This openness has a tremendous benefit of encouraging innovation by decreasing both the friction and barrier to entry of app development. No longer is it necessary to wade through a multi-month process just to make a single app available to consumers. The bazaar also comes with a risk: there is a greater burden on users to pass judgment on the sources of applications they choose to download—caveat emptor. Even for marketplaces that have a vetting process, risk remains, as no vetting process can be perfect.
In December, we identified a large number of online banking applications added to the marketplace from a developer named 09Droid. Each application was branded with a specific bank’s logo/name and, to most users, looked to be an app produced by that bank.
Our team immediately began investigating these suspicious applications and found no evidence of any malicious behavior in the 09Droid banking applications we analyzed. We performed both static and network analysis on the applications to find that the apps are nothing more than a thin wrapper around legitimate mobile banking websites and do not have the capability to steal information.
Even though the applications are not doing anything malicious now, with a simple update, these applications could very easily have captured thousands of online banking credentials. It would be easy to develop an application that can intercept usernames and passwords as a user logs into his or her bank.
The existence of 3rd party applications from non-reputable developers handling extremely sensitive data raises an important concern: phishing applications are likely to pose a significant threat as people provide a growing incentive for attackers by using their phones to perform ever more sensitive tasks (e.g. managing their bank accounts). Meanwhile, potentially malicious applications can use mobile application marketplaces to gain direct distribution to hundreds of millions of people.
Unsurprisingly, all of the 09Droid banking applications have since been removed from the Android Market, as the apps made unauthorized use of bank names and logos, leading users to think that the apps were officially provided by their respective banks. There is an important lesson here: you should never entrust sensitive information, such as online banking credentials, to a 3rd party application from a non-reputable developer. If the app wasn’t released by YOUR bank, then you probably shouldn’t use it.
Remember, if you ever see an application from an unknown developer posing as a well-known company or any other suspicious application, be sure to report it to our response team by emailing security /at/ lookout /dot/ com. We’ll be ready.