back to article Google Play infested with cash-stealing web apps

Security researcher Joshua Shilko says phishing apps targeting some of the world's biggest payment services have slipped past screening and landed on Google Play. Shilko says he's aware of 11 well-designed fraud apps that have slipped into the official Play store, often by mimicking mobile payment sites. Shilko did not name …

  1. Anonymous Coward
    Anonymous Coward

    Marvellous advice

    He recommends users only download banking apps from official sources.

    What, like the Google Play Store - the same place where these dodgy apps are apparently being downloaded from? How long did it take to come up with that useless piece of advice?

    1. Anonymous Coward
      Anonymous Coward

      Re: download banking apps from official sources.

      Hmm, but what would be "safe"? Visiting a branch, connecting to their wifi & and downloading it from some internal bank-controlled portal?

      1. pakman

        Re: download banking apps from official sources.

        Downloading it from an in-branch network may be the worst option, if crims install their own kit in the branch. They have tried this before: http://www.theregister.co.uk/2014/04/25/kvm_crooks_jailed/. OK, so wifi wasn't the target in that case, and they were caught, but you get the idea....

    2. R 11

      Re: Marvellous advice

      It's a fair point, though I think he means visit your bank website - where you know the correct URL and can generally check the EV SSL certificate - and use a link from there to the correct app.

  2. nematoad
    Coffee/keyboard

    Danger, Will Robinson!

    "...from a trusted location – the Google Play Store."

    Argh!

    Warning, do not show this article to anyone either eating or drinking as they may suffer choking an/or a spray painted monitor screen.

  3. tony2heads

    Trusted site

    There is no site I trust enough to download a banking app from.

    1. Palpy

      Re: Trusted site: None.

      Agreed! While it might be very convenient to use on-line banking from a mobe, maybe just don't.

      If you put your plums low on the tree, someone will grab them and squeeze.

      1. Ken Hagan Gold badge

        Re: Trusted site: None.

        "convenient to use on-line banking from a mobe, maybe just don't."

        What, from an app, or by browsing directly? If you are running a version of Android that actually gets security patches in a timely manner, the Chrome on that device is no more dangerous than the Chrome on your desktop, no?

  4. Palpy

    I'm not sure, Ken.

    The article to hand slams the Play Store for letting through malware-disguised-as-legit apps. Other recent articles have slammed the PStore for letting other strains of malware loose on Android users.

    I guess my worry would be that my Android tablet is more likely to be compromised than my Ubuntu desktop, or my Qubes laptop. A compromised platform would be a bad thing to use for banking, IMHO.

    I could be all wet, off-base, out of gas, and utterly mistaken on this. What I do know is that my cheap-but-servicable Android (Lollipop) tablet has never gotten an update and never will; and it is therefore used only for casual browsing. It's not even allowed to know my email address.

    1. Ken Hagan Gold badge

      Re: I'm not sure, Ken.

      I'm in a similar position and take similar precautions, but if I had something that got the patches then I see no reason why Chrome running on one Unixoid platform should be less secure than Chrome running on any other.

      It may, however, be significant that Android devices don't cleanly separate ordinary user accounts from administrative ones. Perhaps that makes them genuinely unsafe for internet use.

  5. DryBones

    So...

    People are downloading the NatWestBanking App by Ima Crook Enterprises, and they don't see anything wrong with the publisher.

    Right then, off you go.

  6. DerekCurrie
    FAIL

    LAZY, HYPOCRITICAL GOOGLE

    Project Zero: Google hypocrisy at work. Dig around for everyone else's security flaws while ignoring their own.

    Yes, we notice Google. We respond accordingly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like