Cloned Android Banking App Hides Phishing Scheme

A cloned banking application targeting customers of a large bank in Israel has been removed from Google Play after it was discovered to be stealing users’ log-in credentials.

Cloned mobile applications, such as the legions of Flappy Bird knock-offs that surfaced once the popular game was removed from Google Play and the Apple App Store, are an increasingly popular malware vehicle for attackers.

The risks range from loading programs that dial premium numbers at the user’s expense, to others that spy on messages or steal data stored on the device.

Mobile security company Lookout this week reported on a cloned banking app targeting users of a popular Israeli bank. The app, a clone of Mizrahi Bank’s legitimate Android application, has since been removed from Google Play.

“The authors put a wrapper around the bank’s legitimate app and redistributed it on the Google Play store, pretending to be the financial institution,” said Meghan Kelly of Lookout.

Strangely enough, the app targets the banking customer’s credentials as expected, but only the user ID.

“Indeed, those who built the malware inserted a comment into the code dictating that only the user ID be taken, not the passwords,” Kelly said.

Likely, the attackers are collecting user names in order to phish customers of this particular bank later on.

Likely, the attackers are collecting user names in order to phish customers of this particular bank later onĀ for their credentials or authentication tokens, though it’s not clear why they didn’t do so with the mobile app.

“Once a victim opens the app, the malware loads the login form, which is an in-app html page that has been changed to siphon off the victim’s user ID’s as they enter their credentials. It’s effectively a phishing attack,” Kelly said. “Once the user ID is stored the app returns a message to the user saying that the login failed and to, instead, reinstall the legitimate banking app from the Play Store.”

Lookout points out that most banking malware is confined to Europe and Asia with some samples even trying to pass themselves off as Google Play, sending notifications to users’ devices luring them to rogue banking apps.

“Unfortunately, with an app that sneaks into the Google Play store, it’s hard to use traditional means to protect yourself,” Kelly said. “For example, looking to see if this is a developer you trust, or making sure your phone has ‘Unknown sources’ is unchecked to prevent dropped or drive-by-download app installs.”

Android banking Trojans such as Svpeng are much more direct and dangerous than this one. The Trojan, studied by Kaspersky Lab researchers, spreads via SMS spam and tailors its messaging based on the device’s language setting. It targets U.S., German, Belarusian and Ukranian victims. In November, Kaspersky researchers reported that a new feature was added to Svpeng where devices infected with the Trojan are presented with a phishing window upon launching their banking application in an attempt to steal credential, which are sent to a command server.

The Trojan also has a payment card component where it layers a phishing window over Google Play prompting the user to enter a credit card or bank card number, including expiration date and security code.

Earlier this year, Svpeng was modified with a ransomware component demanding $500 for illicit activity with the mobile device. That was short lived, Kaspersky researcher Roman Unuchek said recently. A new version of the Trojan began chasing victims in the United States with a new ransomware component tailored around victims in the U.S.

“We managed to identify seven modifications of the new Svpeng, and all of them include a Cryptor class reference, but none of them makes any attempt to use it,” Unuchek said. “It could mean that in the future the cybercriminals will use the Trojan to encrypt user data and demand a ransom to decrypt it.”

Suggested articles