Atypical cloned banking app pops up on Google Play
An unusual instance of a cloned banking app has been spotted on Google Play by Lookout researchers: the app steals only the users’ ID, and leaves alone the password.
The creators of the app have taken the legitimate app of the Israel-based Bank Mizrahi-Tefahot, and have put a “wrapper” around it, which makes it so that when the app is started, a login form asking for the user’s ID and password is loaded.
It is definitely a phishing attempt, but a very curious one, as only the ID is sent to the app authors. It’s also interesting to note that the authors themselves confirm this unusual move in a comment in the app’s code.
“Once the user ID is stored the app returns a message to the user saying that the login failed and to, instead, reinstall the legitimate banking app from the Play Store,” the researchers noted.
My pet theory about this case is that the bank itself might have cloned the app in order to teach users a lesson in security, but who knows?
In any case, the researchers have some advice for users to avoid similar schemes in the future: if you see a duplicate of the app you’re trying to download, one might not be legitimate.
Also, using a mobile security solution is a good idea, especially because Google still can’t manage to block all potentially malicious apps from ending up on Google Play.
UPDATE: My theory has been shot down by Jeremy Linden, Senior Security Product Manager at Lookout.
“Mizrahi Bank did not create the cloned app. Indeed, the bank informed us that they were not aware of the malware as we were working to get it removed from the Google Play store. It’s very unlikely that a company would build a piece of malware, violate Google’s terms of service, and secretly take user information to teach their customers a lesson,” he told Help Net Security.
“It’s definitely curious that the malware authors would only take the usernames and not the passwords. We’re unsure as to why this was the only information collected, but it could be that the malware authors were testing the functionality,” he added.