Skip to main content

Data-Stealing Fake Bank App Found in Google Play

It's no secret that Google Play lets malware-infested apps sneak into its storefront now and then, but rarely are they as clever as BankMirage. This program provides an exact copy of an Israeli bank's own app, steals a user's login info, then suggests an installation of the real app, leaving users none the wiser.

The information comes from a blog post by Lookout, a San Francisco-based mobile security company. Lookout researchers came across a phony app for Mizrahi Bank, one of the largest banks in Israel, and worked with Google to get it removed posthaste.

MORE: Best Android Antivirus Software 2014

Here's how the scheme worked: Users would search for Mizrahi Bank in the Play Store. The fake app got popular enough to show up alongside the real one, and many unsuspecting customers downloaded the BankMirage-infected file.

The Mizrahi app with BankMirage looked identical to the genuine article. When users tried to log in, BankMirage would steal their usernames — although curiously, it would leave their passwords alone.

After procuring the username, the app would instruct users to reinstall the app, but this time direct them toward the non-infected version. This way, the app would work just fine upon the second login attempt, and users would not be inclined to give the matter any further thought.

Why the app would collect only usernames is a bit of a mystery, but it's possible that a malicious hacker or group has another method to get its hands on the matching passwords. Creating a malware-ridden version of a popular banking app suggests that the perpetrator has some kind of endgame, whatever that might be.

Google Play is supposed to act as a gatekeeper against harmful apps, but it's not possible to block every possible source of infection. In a situation like this, the best course of action is to be very cautious if you search for an app and see two different versions to install. The more popular one is likely the real deal, and the other may be a fake. Consider reporting it to the Play Store.

Most mobile security suites will also detect malware of this nature and get rid of it before you ever enter any compromising information. If you got taken in by the BankMirage scam, you may not be in any immediate danger, but changing your username would not be an unwise precaution.

Follow Marshall Honorof @marshallhonorofand on Google+. Follow us @tomsguide, on Facebook and on Google+.

  • wemakeourfuture
    How Google allowed this, shows their vetting of apps is piss poor.
    Reply
  • SamsChoice
    For those who do not know, Marshall Honorof has worked and may still work for Apple. He writes for Apple and almost ALL his articles are biased. He also owns Apple stock.
    Reply
  • wemakeourfuture
    For those who do not know, Marshall Honorof has worked and may still work for Apple. He writes for Apple and almost ALL his articles are biased. He also owns Apple stock.

    So he created this story? Did he also create the 95% smartphone malware apps that effect Android devices?
    Reply
  • nebun
    lol....how do you like me now...google mobile OS is a joke when it comes to security...the funny thing is that they pay for people to find bugs and still does not help....google really needs to wake up
    Reply
  • Noshiz
    And that's why you should not trust Android. 95% of the apps are malware and viruses, have fun using anti-virus on your phones.
    Reply
  • fixxxer113
    lol....how do you like me now...google mobile OS is a joke when it comes to security...the funny thing is that they pay for people to find bugs and still does not help....google really needs to wake up

    This has nothing to do with the OS itself, but rather the process that Google has of approving apps. There should be no way for someone to post an e-banking app, if they are not the bank ... As with most security issues, it's a Human problem, not a Software one.
    Reply
  • Marshall Honorof
    @SamsChoice - That's a funny assertion to make, given that I a) have demonstrably never worked for Apple and b) don't own any Apple products. I assume you have some evidence to back up this extraordinary claim?
    Reply