Lookout

Mobile application marketplaces are a bazaar. They allow freedom for any developer to make his or her ware—legitimate or otherwise—available to the world.  Because apps created by Barclays and Bank of America are located on the same virtual shelf as apps from one-person shops from throughout the world, marketplaces act as a great equalizer, granting the same algorithmic treatment to all.  This openness has a tremendous benefit of encouraging innovation by decreasing both the friction and barrier to entry of app development.  No longer is it necessary to wade through a multi-month process just to make a single app available to consumers. The bazaar also comes with a risk: there is a greater burden on users to pass judgment on the sources of applications they choose to download—caveat emptor.  Even for marketplaces that have a vetting process, risk remains, as no vetting process can be perfect.

In December, we identified a large number of online banking applications added to the marketplace from a developer named 09Droid.  Each application was branded with a specific bank’s logo/name and, to most users, looked to be an app produced by that bank.

Our team immediately began investigating these suspicious applications and found no evidence of any malicious behavior in the 09Droid banking applications we analyzed.  We performed both static and network analysis on the applications to find that the apps are nothing more than a thin wrapper around legitimate mobile banking websites and do not have the capability to steal information.

Even though the applications are not doing anything malicious now, with a simple update, these applications could very easily have captured thousands of online banking credentials. It would be easy to develop an application that can intercept usernames and passwords as a user logs into his or her bank.

The existence of 3rd party applications from non-reputable developers handling extremely sensitive data raises an important concern: phishing applications are likely to pose a significant threat as people provide a growing incentive for attackers by using their phones to perform ever more sensitive tasks (e.g. managing their bank accounts).  Meanwhile, potentially malicious applications can use mobile application marketplaces to gain direct distribution to hundreds of millions of people.

Unsurprisingly, all of the 09Droid banking applications have since been removed from the Android Market, as the apps made unauthorized use of bank names and logos, leading users to think that the apps were officially provided by their respective banks.  There is an important lesson here: you should never entrust sensitive information, such as online banking credentials, to a 3rd party application from a non-reputable developer.  If the app wasn’t released by YOUR bank, then you probably shouldn’t use it.

Remember, if you ever see an application from an unknown developer posing as a well-known company or any other suspicious application, be sure to report it to our response team by emailing security /at/ mylookout /dot/ com.  We’ll be ready.