Some media outlets in India carried a PTI report that cited another report by the security firm SophosLabs. They stated that some fake apps of banks like SBI, ICICI, Axis Bank, Yes Bank, CitiBank and others have stolen data of thousands of bank customers. While this is true, it is not as immediate of a threat it has been portrayed to be, as SophosLabs mentioned that there have been “inaccuracies in the coverage of this research” and "the intent of this research was not to alert to a current threat, but explain the rise and methodology used by the cybercriminals behind such phishing and brand abuse threats. "
The fake apps that stole baking details of customers like their Internet banking credentials and credit card details have been removed from the Play Store and the site that was collecting this stolen data is said to be offline for some months now. However, those users who had downloaded the app are still advised to change their banking passwords and take measures to ensure that they are not affected.
SophosLabs reports that it discovered 12 Trojan apps on the Google Play Store that were targeting users in India. These apps targeted seven banks in India, ICICI Bank, Indian Overseas Bank, Axis Bank, Bank of Baroda, Yes Bank and CitiBank. Additionally, they also included a generic interface that is said to target about 25 other banks in India. What’s alarming is that some of these apps flew under the radar and were available for download on the official Android app store from more than two years. These apps would entice customers by promising cashbacks, free data, low-interest loans and unbelievably, a service called “e-ATM” for "select users." The apps promised to send a courier to an ATM for withdrawing money on the user's behalf and delivering it to their home, using the provided credentials.
As per the report, creator or creators of these apps had been publishing these apps since May 2016 and they share a similar code base, sport a similar interface and all of them send the leaked information to the same command-and-control server. Since the apps were almost similar in every aspect, their developer(s) were able to repackage them with different names and upload them to numerous times on the Play Store. This hints at a campaign to procure sensitive banking information by either a single threat actor or a group.
Fake Trojan banking apps that have been removed from the Play Store
Once users downloaded and ran any of the fake apps, it would prompt them to register using a name and phone number. Then, it asks them to link a bank account using one of the four methods; ATM card and PIN, Net Banking (username and password for online banking), Credit card and Aadhar card (a resident identification card). “The app then presents the user with an activity that either prompts for credit card details or Internet banking credentials depending upon the option chosen by the user. The app also registers itself as the default app for receiving text messages, in order to intercept SMS-based one time passwords (OTPs), which are commonly used for two-factor authentication. The app sends this collected information to its server without verifying any of the details for correctness,” states the report.
The data stolen by these apps were not even encrypted while being sent to their server and were prone to be intercepted. SophosLabs says that it notified Google about these apps in July, 2018 and they were later removed from the Google Play. Sophos Mobile Security identifies these malicious apps as Andr/FakeBank-L.
Fake apps have been creeping in on the Google Play Store from some time now and users should take some precautions before installing an app, even if it’s from an official source. One should check the developer, the app’s reviews and ratings and also take note of the permissions it asks for. You can read the entire SophosLabs report here.