Cybercriminals are always looking for new ways to steal consumer's banking credentials and new research from ESET has highlighted the often overlooked threat of fake banking apps.

The firm compiled its findings in a new white paper titled, “Android banking malware: Sophisticated Trojans vs. Fake Banking apps” which revealed that fake banking apps and sophisticated banking Trojans are the two most prevalent types of Android banking malware.

ESET malware researcher Lukáš Štefanko explained that fake banking apps pose a significant threat and could be as effective as banking Trojans, saying:

“Our analysis of the two types of banking malware – both of which have previously been discovered in the official Google Play store – has shown that the simple operation of fake banking apps comes with certain advantages that the feared banking Trojans don’t have. While banking Trojans have long been regarded as a serious threat to Android users, fake banking apps have sometimes been overlooked due to their limited capabilities. Despite not being technically advanced, we believe fake banking apps might be just as effective at emptying bank accounts as banking Trojans.”

Fake banking apps vs Trojans

The main strength of fake apps is their direct impersonation of legitimate banking applications and if a user falls for their tricks, there is a high chance that they will treat the app as legitimate and submit their credentials.

Additionally, fake banking apps do not request for the intrusive permissions usually asked for by Trojans which tend to raise user suspicion after installation. Sophisticated banking Trojans are also more prone to detection due to their advanced techniques which act as triggers for various security measures.

To prevent falling victim to fake banking apps, ESET recommends that users keep their Android devices updated and avoid unofficial app stores. The company also suggests checking the ratings, reviews, number of installs and requested permissions before installing any app from the Google Play Store.

Fake apps often appear identical to their real counterparts which is why due diligence is required to detect them effectively.