ESET researchers have discovered malicious apps impersonating various financial services and the Austrian cryptocurrency exchange Bitpanda on Google Play.

The fake apps

Uploaded to Google’s official app store in June 2018 and collectively downloaded and installed over a thousand times, upon launch the apps would immediately request the user to enter credit card details and/or login credentials to the targeted bank or service.

The entered information would then be sent to the attacker’s server, and the app would politely thank the victim or even congratulate them:

“The apps were uploaded under different developer names, each using a different guise, however, code similarities suggest the apps are the work of a single attacker,” the researchers noted.

The apps impersonated the Commonwealth Bank of Australia (CommBank), the Australia and New Zealand Banking Group Limited (ANZ), the ASB Bank, the TSB Bank, PostFinance (the financial services unit of Swiss Post), the Polish Bank Zachodni WBK (recently renamed into Santander Bank Polska), and Bitpanda (which doesn’t even have an official mobile app).

The apps have now been removed from the store.

Advice for users and victims

The researchers posit that Google’s automated defenses did not spot the malicious apps because they use obfuscation. Nevertheless, they still advise users to download apps from Google Play.

“This does not ensure the app is not malicious, but apps like these are much more common on third-party app stores and are rarely removed once uncovered, unlike on Google Play,” they noted.

In general, though, it’s best to only trust mobile banking and other finance apps if they are linked from the official website of the bank or the financial service, they added.

Users who have recently downloaded an app for any of the aforementioned banks and services from Google Play would do well to check whether they have downloaded a malicious app. The package names of the malicious apps can be found in ESET’s blog post.

Those who have are urged to check their bank accounts for unusual transactions abd to change their internet banking passwords and credit card PIN codes.