This article is more than 1 year old
Google Play infested with cash-stealing web apps
Simple HTML scams look to be sneaking through the app inspection process
Security researcher Joshua Shilko says phishing apps targeting some of the world's biggest payment services have slipped past screening and landed on Google Play.
Shilko says he's aware of 11 well-designed fraud apps that have slipped into the official Play store, often by mimicking mobile payment sites.
Shilko did not name the affected payment sites but one appears to be UK based payment firm Neteller.
There is no suggestion the firms are at fault; rather it is the clever but basic design of the apps as a malicious mobile web page rather than a heavier malware .apk that could be part of the attacker's success. Google's part of the problem too: Shilko says the company can take "several days" to act on user fraud reports.
"These attacks combine traditional, browser-based phishing attacks with the mobile platform in order to create convincing mobile applications," Shilko says.
"These applications are available to users directly from a trusted location – the Google Play Store.
"This calls into question the efficacy of the practice, as even a cursory investigation of these applications makes it clear that they are not being offered by the brands that are being impersonated."
Shilko says the apps are "overtly malicious" and target some cryptocurrency payment firms.
Victims would likely not be alerted to the same as the user interface and experience is fluid, other than a failure when a user's legitimate login credentials does not access accounts.
Various iterations of the phishing apps have similar names and attack flow, strongly indicating that a lone attacker or group is behind the scams.
Shilko says building Android apps that are little more than a mobile web page is a clever tactic for phishers as it targets users who frequent Google Play, avoids email anti-phishing defences and avoids bank's fraud detection mechanisms.
He recommends users only download banking apps via their banks' websites, which will (you'd hope) point to legit applications. ®