Cloned Android Banking App Hides Phishing Scheme

A cloned banking application targeting customers of a large bank in Israel has been removed from Google Play after it was discovered to be stealing users’ log-in credentials.

Cloned mobile applications, such as the legions of Flappy Bird knock-offs that surfaced once the popular game was removed from Google Play and the Apple App Store, are an increasingly popular malware vehicle for attackers.

The risks range from loading programs that dial premium numbers at the user’s expense, to others that spy on messages or steal data stored on the device.

Mobile security company Lookout this week reported on a cloned banking app targeting users of a popular Israeli bank. The app, a clone of Mizrahi Bank’s legitimate Android application, has since been removed from Google Play.

“The authors put a wrapper around the bank’s legitimate app and redistributed it on the Google Play store, pretending to be the financial institution,” said Meghan Kelly of Lookout.

Strangely enough, the app targets the banking customer’s credentials as expected, but only the user ID.

“Indeed, those who built the malware inserted a comment into the code dictating that only the user ID be taken, not the passwords,” Kelly said.

Likely, the attackers are collecting user names in order to phish customers of this particular bank later on.

Likely, the attackers are collecting user names in order to phish customers of this particular bank later onĀ for their credentials or authentication tokens, though it’s not clear why they didn’t do so with the mobile app.

“Once a victim opens the app, the malware loads the login form, which is an in-app html page that has been changed to siphon off the victim’s user ID’s as they enter their credentials. It’s effectively a phishing attack,” Kelly said. “Once the user ID is stored the app returns a message to the user saying that the login failed and to, instead, reinstall the legitimate banking app from the Play Store.”

Lookout points out that most banking malware is confined to Europe and Asia with some samples even trying to pass themselves off as Google Play, sending notifications to users’ devices luring them to rogue banking apps.

“Unfortunately, with an app that sneaks into the Google Play store, it’s hard to use traditional means to protect yourself,” Kelly said. “For example, looking to see if this is a developer you trust, or making sure your phone has ‘Unknown sources’ is unchecked to prevent dropped or drive-by-download app installs.”

Android banking Trojans such as Svpeng are much more direct and dangerous than this one. The Trojan, studied by Kaspersky Lab researchers, spreads via SMS spam and tailors its messaging based on the device’s language setting. It targets U.S., German, Belarusian and Ukranian victims. In November, Kaspersky researchers reported that a new feature was added to Svpeng where devices infected with the Trojan are presented with a phishing window upon launching their banking application in an attempt to steal credential, which are sent to a command server.

The Trojan also has a payment card component where it layers a phishing window over Google Play prompting the user to enter a credit card or bank card number, including expiration date and security code.

Earlier this year, Svpeng was modified with a ransomware component demanding $500 for illicit activity with the mobile device. That was short lived, Kaspersky researcher Roman Unuchek said recently. A new version of the Trojan began chasing victims in the United States with a new ransomware component tailored around victims in the U.S.

“We managed to identify seven modifications of the new Svpeng, and all of them include a Cryptor class reference, but none of them makes any attempt to use it,” Unuchek said. “It could mean that in the future the cybercriminals will use the Trojan to encrypt user data and demand a ransom to decrypt it.”

Suggested articles


  • Keith Deininger on

    This is the primary reason why Google is going to have to start instituting a verification of ALL apps that are uploaded to the Google Play Store, just as Apple verifies all apps that are uploaded to the Apple Store for iOS users. I know that some people are going to scream that the whole purpose of the Android Mobile OS is so that it is open sourced for everyone to use. But as soon as people stop downloading apps from the Play Store, Google should see this and ask themselves "Why?". Provide some level of software security and people will continue to trust you. One of the many reasons why the iPhone and Apple iOS Store have become so popular.
  • Spaz on

    >Google is going to have to start instituting a verification of ALL apps Engineering a system and hardware requires plenty of advanced planning, it's not something they winged at it as they went. Also a lot of psychological planning when into their product as well. Google knew exactly what they were doing when they set up their store and purposely decided not to do what Apple did from the start. Apple provide a cocoon-like Disney World product that caters to particular market niche needs (mostly women, children and artists), however it doesn't cater to the larger markets need for the right balance of a intellectual challenge. It's why millions jail break their iOS devices once they learn they are living in a engineered cocoon. It's why Apple is reversing direction and trying to open iOS up more from their 'our way or the highway' approach that is losing significant market share to Android openness everyday. Just like with Mac's at a paltry 7.5% to Windows +90% market share, Steve Jobs was wrong again. It's too bad he died before seeing his mistake repeated once more.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.