Another set of fake banking apps has found its way into the official Google Play store.
According to ESET, the apps claim to increase the credit card limit for users of three Indian banks, then phish for credit card details and Internet banking credentials using bogus forms. The data stolen from the victims is leaked online, in plain text, via an exposed server.
The fake apps were uploaded to Google Play in June and July 2018. When ESET notified Google they were taken down, but by then they had been installed by hundreds of victims.
The apps were uploaded under three different developer names, each impersonating a different Indian bank. However, all three apps can be traced back to a single attacker.
All three apps follow the same procedure. Upon launch, a form requesting credit card details is displayed. If users fill out the form and hit “Submit”, they are taken to a form asking for their internet banking login credentials.
Interestingly, even though all fields are marked as “required” (*), both forms can be successfully submitted empty, usually an indication that they are not legitimate.
Clicking through both forms – with or without filling them in – leads users to the third and final screen, which thanks users for their interest and informs them that a “Customer Service Executive” will be in touch shortly. Needless to say, no one gets in touch with the victims, and the app offers no further functionality beyond this point.
Meanwhile, the data entered into the bogus forms is sent in plain text to the attacker’s server. The server listing the stolen data is accessible to anyone with the link, without requiring any authentication.
For the victims, this amplifies the potential damage, since their sensitive data is not only at the attacker’s disposal, but potentially available to anyone who comes across it.
ESET recently warned against another malicious app leaking stolen information for anyone to see – a fake MyEtherWallet app, exposing the private keys to victims’ wallets.