It's no secret that Google Play lets malware-infested apps sneak into its storefront now and then, but rarely are they as clever as BankMirage. This program provides an exact copy of an Israeli bank's own app, steals a user's login info, then suggests an installation of the real app, leaving users none the wiser.
The information comes from a blog post by Lookout, a San Francisco-based mobile security company. Lookout researchers came across a phony app for Mizrahi Bank, one of the largest banks in Israel, and worked with Google to get it removed posthaste.
Here's how the scheme worked: Users would search for Mizrahi Bank in the Play Store. The fake app got popular enough to show up alongside the real one, and many unsuspecting customers downloaded the BankMirage-infected file.
The Mizrahi app with BankMirage looked identical to the genuine article. When users tried to log in, BankMirage would steal their usernames — although curiously, it would leave their passwords alone.
After procuring the username, the app would instruct users to reinstall the app, but this time direct them toward the non-infected version. This way, the app would work just fine upon the second login attempt, and users would not be inclined to give the matter any further thought.
Why the app would collect only usernames is a bit of a mystery, but it's possible that a malicious hacker or group has another method to get its hands on the matching passwords. Creating a malware-ridden version of a popular banking app suggests that the perpetrator has some kind of endgame, whatever that might be.
Google Play is supposed to act as a gatekeeper against harmful apps, but it's not possible to block every possible source of infection. In a situation like this, the best course of action is to be very cautious if you search for an app and see two different versions to install. The more popular one is likely the real deal, and the other may be a fake. Consider reporting it to the Play Store.
Most mobile security suites will also detect malware of this nature and get rid of it before you ever enter any compromising information. If you got taken in by the BankMirage scam, you may not be in any immediate danger, but changing your username would not be an unwise precaution.