Once again, criminals have shown their creativity in pursuing financial fraud in cyberspace. While most of us have already suffered phishing attempts via e-mail solicitations purportedly coming from our banking and credit card companies, a new twist on the scam is affecting smartphone users. Organized criminals have invaded “app stores” and provided fraudulent versions of banking applications to be downloaded by unsuspecting customers. The first store to be victimized by this scam is Google’s Android marketplace.
As indicated below, Android phishers are targeting Google’s mobile operating system, not by inserting malware into the phone, but by submitting fraudulent mobile phone software applications to the Android store. Organized crime groups have created phony banking applications purportedly from reputable financial institutions, which rather than providing access to the customer’s own bank, instead steal login credentials and forward them to fraudsters. These details are of course then exploited to steal money from the legitimate users’ bank accounts. One bank, the First Tech Credit Union, recently advised their customers to be aware of the scam.
The rogue application was known as the “Droid09 app” and targeted a number of banks including Barclays, Chase, Wells Fargo, HSBC, Bank of America, Wachovia and Deutsche Bank. Though Google has since removed more than 50 of the rogue applications, a number of questions remain. Who, for example, will be held liable for any loses in these case? Surely there is some “know your customer” responsibility on the part of application store owners to verify that apps they provide come from legitimate sources.
As moblile devices explode in use in the coming years, they will increasingly replace home/office computers for a wide variety of tasks. While all users should exercise common sense in downloading unknown applications, it is not unreasonable for an end user to believe that an item uploaded to the iTunes store, Ovi store or Android Marketplace would have been vetted for security flaws. At a minimum, these store providers should ensure they are not redistributing crimeware to unsuspecting users. Apple has a vigorous policy of inspecting all software before allowing it to appear in their app store, sometimes to the complaints of application developers. Android, conversely, has developed a reputation of being a more open marketplace. Unfortunately, for the foreseeable future, the mobile applications market space may resemble the “wild wild west” with users fending for themselves in the absence of more careful oversight. Eventually, however, liability lawsuits and perhaps even criminal prosecutions will begin to reign in activities in these modern-day souqs. Until then, caveat emptor, caveat venditor and caveat downloader!
Also reported by the Wall Street Journal.
Rogue phishing app smuggled onto Android Marketplace
Ghost in the machine
by John Leyden
The RegisterJanuary 11th, 2010
A phisher hoping to harvest bank login details managed to smuggle his app onto the Android app store.
Malicious apps posted by Droid09 were quickly identified, prompting a warning to legitimate users and a ban for the VXer. The incident raises questions about whether a tighter vetting process is needed for the Android Marketplace.
The rogue Android application posed as a legitimate banking applet, but was actually designed to trick marks into handing over bank login details to fraudsters, an alert by credit union First Tech warns. The credit union, which said it wasn’t targeted by the attack, doesn’t even have an app for Android as yet.
Android fans who downloaded any of Droid09′s apps are advised to purge them from their phones before consulting their mobile phone firm for further advice.
The incident happened in December, but became public after news outlets picked up on First Tech Credit Union’s fraud alert on Monday.
The Android Market, launched in October 2008, offers more than 20,000 mobile applications for download. MobileCrunch reports.
