Download Free
Learn MoreStay Safe With Mobile Banking
Recently, there has been a strong concern surrounding third-party mobile banking applications. A developer named Droidheaven released a Wells Fargo mobile banking app in mid-December. Droidheaven also has a large number of other applications in the market Market, mostly Android themes.
After performing static and network analysis, our research team determined that that the Droidheaven application was not doing anything actively malicious; however, we continue to warn users to be extremely cautious of third-party mobile banking applications. We’ve found that the application only contains boiler-plate webview functionality pointing to Wells Fargo’s mobile web site. Additionally, the application only requests “Network communication” permissions, preventing it from performing actions typical of malware such as stealing contacts or trying to spread to people on your contact list.
There are several reasons why untrusted third-party mobile banking applications are risky:
- These apps could contain malicious code that steals your bank account info and password as soon as you type it in—all of this information is easily available to the application developer.
- You also have no way of knowing whether you are being directed to a legitimate mobile banking site or a phishing site designed to look identical. On the standard browser, you can check to see whether the URL is correct and that the connection is encrypted with an appropriate certificate. In a third party banking application, however, you can’t trust any indicators (if they exist), as those indicators can be set to display false information specified by the application’s developer.
- Applications that do nothing malicious today can easily be updated with a malicious version.
If your bank does not provide a mobile banking application, it’s easy to create a shortcut icon on your home screen that links to your bank’s mobile website.
Read on to see how to create a safe, mobile banking bookmark on your home screen.
 |
Open the browser to your bank’s mobile website (such as https://wf.com/ for Wells Fargo). Press Menu and click Bookmarks. |
 |
Press Add. |
 |
Hit Ok. |
 |
Find the newly created bookmark, press and hold it for 1 second until the context menu appears. Select “Add Shortcut to Home.” |
 |
Now, your Home screen has a bookmark to quickly visit your bank’s mobile site at any time. |
As always, be sure to email security /at/ mylookout /dot/ com if you see anything suspicious on your mobile adventures. We’ll be there to help.
-Anthony Lineberry, David Richardson, Kevin Mahaffey
© 2012 Lookout, Inc. All rights reserved. Patents pending.
The advice given in this article was sound and made good sense. I tried the above steps to create a Home screen bookmark to my personal bank – Regions Bank. I got to my bank’s site, entered my sign-in information, and clicked Login to proceed. The next screen that came up only said “Length Required” and I could go no further. Any ideas what that message meant?
@James Thanks for the support! If you can login via your mobile browser without using the shortcut, but with the shortcut you get the error, double check to make sure the URL that the shortcut brings you to is “https://www.regions.com”. If that’s the URL that shows up in your browser, there may be a problem with your bank’s web site.
[...] the suspicious mobile banking applications that were recently available in the Android Market. Because people are using their phones to access bank accounts, there is an incentive for attackers [...]