Stay Safe With Mobile Banking

kevin January 27

2 Comments

Droidheaven Wells Fargo application Recently, there has been a strong concern surrounding third-party mobile banking applications.  A developer named Droidheaven released a Wells Fargo mobile banking app in mid-December. Droidheaven also has a large number of other applications in the market Market, mostly Android themes.

After performing static and network analysis, our research team determined that that the Droidheaven application was not doing anything actively malicious; however, we continue to warn users to be extremely cautious of third-party mobile banking applications.  We’ve found that the application only contains boiler-plate webview functionality pointing to Wells Fargo’s mobile web site.  Additionally, the application only requests “Network communication” permissions, preventing it from performing actions typical of malware such as stealing contacts or trying to spread to people on your contact list.

There are several reasons why untrusted third-party mobile banking applications are risky:

  • These apps could contain malicious code that steals your bank account info and password as soon as you type it in—all of this information is easily available to the application developer.
  • You also have no way of knowing whether you are being directed to a legitimate mobile banking site or a phishing site designed to look identical.  On the standard browser, you can check to see whether the URL is correct and that the connection is encrypted with an appropriate certificate.  In a third party banking application, however, you can’t trust any indicators (if they exist), as those indicators can be set to display false information specified by the application’s developer.
  • Applications that do nothing malicious today can easily be updated with a malicious version.

If your bank does not provide a mobile banking application, it’s easy to create a shortcut icon on your home screen that links to your bank’s mobile website.

Read on to see how to create a safe, mobile banking bookmark on your home screen.

Add a bookmark Open the browser to your bank’s mobile website (such as https://wf.com/ for Wells Fargo).  Press Menu and click Bookmarks.
Adding bookmark Press Add.
Hit OK Hit Ok.
Add shortcut Find the newly created bookmark, press and hold it for 1 second until the context menu appears. Select “Add Shortcut to Home.”
Homescreen with shortcut Now, your Home screen has a bookmark to quickly visit your bank’s mobile site at any time.

As always, be sure to email security /at/ mylookout /dot/ com if you see anything suspicious on your mobile adventures. We’ll be there to help.

-Anthony Lineberry, David Richardson, Kevin Mahaffey

Share with the world:
  • E-mail this story to a friend!
  • Digg
  • Yahoo! Buzz
  • del.icio.us
  • TwitThis
  • Reddit
  • StumbleUpon
  • Facebook
  • Slashdot
  • Google
  • Technorati
Join the Lookout Beta!

2 Responses

  • 1

    James Day 05 Feb 10

    The advice given in this article was sound and made good sense. I tried the above steps to create a Home screen bookmark to my personal bank – Regions Bank. I got to my bank’s site, entered my sign-in information, and clicked Login to proceed. The next screen that came up only said “Length Required” and I could go no further. Any ideas what that message meant?

  • 2

    Kevin 09 Feb 10

    @James Thanks for the support! If you can login via your mobile browser without using the shortcut, but with the shortcut you get the error, double check to make sure the URL that the shortcut brings you to is “https://www.regions.com”. If that’s the URL that shows up in your browser, there may be a problem with your bank’s web site.

Post a Comment

Comments     Basic HTML is allowed (a href, strong, em, blockquote).

NOTE: We'd rather not moderate, but off-topic, blatantly inflammatory, or otherwise inappropriate or vapid comments may be removed. Repeat offenders will be banned from commenting.