Fraudulent banking applications discovered on Google Play filter data stolen from credit cards

A new group of fake banking apps was discovered that found its way into the official Google Play store. Offering to increase the credit limit of the card for users of three banks in India, malicious applications require credit card details and identification information to access Internet banking services using fraudulent methods. But the worst is that the stolen data of the victims are filtered on the Internet and in plain text, through an exposed server.

Fake apps were uploaded to Google Play in June and July 2018 and were installed by hundreds of users before being unsubscribed once ESET informed Google. The applications were downloaded under the name of three different developers, each posing as a different Indian bank. However, the three applications are linked to an attacker

How do apps work?

The three applications follow the same procedure. Once they are executed, a form is displayed (Figure 2) in which the details of the credit card are requested. If users fill out the form and click "send", they are directed to a form that asks for identification information from the online banking service. The interesting thing is that, although all fields are marked as mandatory (*), both forms can be sent empty; which is a clear indicator that we are facing something suspicious.

By clicking on the two forms (completed or not), the users are directed to a third and last screen in which the user is thanked for their interest and is informed that a "Customer Service Executive" will be informed as soon as possible. as possible. Although the reality, obviously, is that no one will communicate with the victim and here the application does not offer any kind of functionality.

Meanwhile, data entered via fake forms is sent to the attacker's server in plain text. The server that stores this stolen data is accessible to anyone with the link and without the need to authenticate. For the victim, this greatly increases the potential for damage, since the stolen data is not only available to the attacker, but potentially in the hands of anyone with access to the link.

We recently warned of another malicious application that leaks stolen information so everyone can see it – a fake MyEtherWallet application that exposes private keys to victims' wallets. This finding underscores the need to be extremely careful when it comes to downloading financial applications of any kind.

How to be protected

If you have installed any of these malicious applications, we recommend that you uninstall them quickly. Check your bank account for any suspicious activity and change the pin of your card as well as your access code to the online banking service.

To avoid being a victim of such applications, we recommend:

• Trust banking applications only if it is badociated with your bank's official website.
• Never enter access information to your bank account on a form if you are unsure of its safety or if you suspect its legitimacy.
• Pay attention to the number of downloads, the rating of the app and comments left by other users on Google Play.
• Keep your Android device up-to-date and use a reliable security solution. In the case of ESET products, they detect such malicious applications as Android / Spy.Banker.AHR

Legitimate banking applications whose identity has been replaced: