June 24, 2014

Cloned banking app stealing usernames sneaks into Google Play

This week, Lookout became aware of a cloned banking app in the Google Play store, stealing users’ credentials, but curiously, not their passwords.

We alerted Google to the issue, which immediately removed the app. All Lookout users are protected from this app.

The malware, called BankMirage, targets the customers of an Israeli bank called Mizrahi Bank. The authors put a wrapper around the bank’s legitimate app and redistributed it on the Google Play store, pretending to be the financial institution.

Once a victim opens the app, the malware loads the login form, which is an in-app html page that has been changed to siphon off the victim’s user ID’s as they enter their credentials. It’s effectively a phishing attack.

But what’s curious about the malware is that it only steals the user ID. Indeed, those who built the malware inserted a comment into the code dictating that only the user ID be taken, not the passwords.

Once the user ID is stored the app returns a message to the user saying that the login failed and to, instead, reinstall the legitimate banking app from the Play Store.

Banking malware is one of those scary segments of threats that touches some of the most personal information a person has: their finances. This kind of malware isn’t as prevalent in the U.S. as it is in the E.U. and Asia Pacific countries. We have seen Korean-based banking malware that, instead of slipping into Google Play, masquerades as the Google Play Store app itself.

PlayBanker, for example, pretends to be Google Play and sends out push notifications to lure victims into downloading rogue banking apps. Another, BankUn, will check for the presence of eight major, legitimate Korean banking apps and then attempts to replace them with rogue ones.

Unfortunately, with an app that sneaks into the Google Play store, it’s hard to use traditional means to protect yourself. For example, looking to see if this is a developer you trust, or making sure your phone has ‘Unknown sources’ is unchecked to prevent dropped or drive-by-download app installs.

You can, however, go on some instincts. For example, if you see a duplicate of the app you’re trying to download, one might not be legitimate. You can otherwise keep yourself safe by installing an app-scanning security solution on your phone, such as Lookout.

Leave a comment