More than a thousand CommBank and ANZ customers may have unwittingly handed out their log-in details and credit card numbers after downloading malicious banking apps.
The fake apps went undetected in the Google Play store for weeks and were installed more than 1000 times before IT security research firm ESET raised the alarm in June, The Age reported Thursday.
ESET senior research fellow Nick FitzGerald told the newspaper the apps were discovered during routine checks. He said it was rare for fake banking apps to pass the automated Google Play system.
The fake CommBank and ANZ apps had basic functionality, requesting credit card details or log-in credentials, which may have helped them slip through.
“The apps use obfuscation, which may have contributed to them slipping into the store undetected,” he told The Age, adding code similarities suggested the two apps were the work of the same attacker.
“This is a big concern for anyone who may have handed over personal information. The loss of personally identifiable information can result in financial fraud that may affect you for the rest of your life very negatively.”
CommBank-owned Auckland Savings Bank was also targeted, as were banks in the UK, Switzerland and Poland, and European cryptocurrency exchange Bitpanda, according to the report.
A Google spokesman declined to say how many times the apps were downloaded or how they made it into the Google Play store.
“We remove applications that violate our policies, such as apps that are illegal or that promote hate speech,” he said. “We don’t comment on individual applications — you can check out our policies for more information.”
As the banks were impersonated, not hacked, the scam falls outside Australia’s new mandatory data-breach notification scheme passed into law earlier this year.
A CommBank spokeswoman said the security of customers’ banking details was a “top priority”. “We proactively monitor app stores, and use customer feedback, to identify potential security risks for our customers,” she said.
“Once a suspicious app is identified, we work with the app store to ensure the app is quickly removed or disabled. To protect our customers, we offer the benefit from our 100 per cent Security Guarantee against unauthorised transactions where customers are not at fault.”
An ANZ spokeswoman said the bank was “constantly monitoring for fake ANZ apps and the latest security scams”.
“In June 2018 via a customer we became aware of a fraudulent app called ANZ PayOnGO being advertised on Google Play,” she said. “We worked closely with the Google Play team to have the app removed in a few hours.”
CBA SECURITY ADVICE
Tips on keeping safe when downloading our apps:
Only install apps from official stores, such as Apple’s App Store or Google Play (for Android phone or tablet).
Check the name of the publisher before downloading the app.
Avoid installing apps from links received in an email, social media post, text message or a web page that doesn’t look right. The best way to download an app is to go to the store and download it from there.
Read user reviews and ratings to assess if an app delivers a good experience.
Many apps collect and send personal data from your phone, including your location and contacts. Keep on top of this by reviewing and managing permissions for each app. On an iOS device, this can be done under the ‘Settings > Privacy’ function. On an Android device, you can find them under ‘Application Manager’.
Read the terms of any app looking to access your contacts, location or other personal information when you log in using a third party service (such as Facebook or LinkedIn).
If a customer notices an unusual transaction on their account, they should contact us on 13 2221 immediately to report it.
Our apps are published from “Commonwealth Bank of Australia” or “CommSec”. MasterCard publishes two apps for business merchants, “CommBank Simplify Controls” and “CommBank Simplify Payments”, on our behalf.
ANZ SECURITY ADVICE
Customers should always check the following before to downloading a new app:
Check the popularity of the app: thousands of downloads and very few reviews suggests a fake app.
Check the name of the app or developer and reviews: minor errors in the name, inconsistency with ANZ products or suspicious comments may indicate the app is a fake.
Check the pattern of reviews including time frames from app launch to commentary: reviews in quick succession of launch are a red flag.
If in doubt, go to the web page of the developer: lack of details about the developers, and linkage to a legitimate site is another indicator.
Check that the permissions required by the app are in line with activities you will be performing: if the permissions seem excessive this is another red flag.
If a customer believes they have downloaded a fake ANZ app please contact us immediately on 1800 033 844
If they suspect a fake ANZ app is available on Google Play or on the App Store, they should contact firstname.lastname@example.org
Information on the latest security alerts can be found on ANZ.com
Re-disseminated by The Asian from news.com.au