We know that you have to be especially careful with the applications that we install since they can exceed the permissions, include malware or not be what they promise before we install them. As usually happens in any consumer product, who uses the apps must be responsible since he is safe in it. The problem comes when developers they will scam the user and this, despite the precautions, trust what they say.
He phishing or phishing in emails It is something so widespread that there are few who do not know it. That an email arrives from your bank with the same communication design and asking you to insert the keys? We distrust nature. But what happens if that happens in applications that are supposedly from our bank?
Android Security: How to have the safest Android phone
If you care about Android security, we tell you the tips to choose the safest mobile phone in the market, plus tricks to reinforce that security.
Since TrendMicro We get news that should put us on guard, more if possible: the scam of false bank applications aimed at Spanish users. The mechanics were simple, but effective: impersonating a reliable banking app so that later, with the permission to read SMS, they could obtain the authorization codes when scammers try to make purchases online.
The two-step authorization of your bank is not secure if a dangerous app can read your SMS
Most banks have adopted the Two-step authorization via SMS when making purchases on the Internet. It is a very safe means since it prevents scammers from using the card number of others as they also need a real-time authorization from the user. In this way he learns that someone is trying to use his card because he receives a message to the mobile chiviendo of the process.
Since it is necessary to enter the password received by SMS when trying to make a purchase it is enough that the victim's mobile has a application with access to SMS. The scammers make a purchase, wait for the bank's SMS to arrive to the victim, the fake bank application reads the SMS and the code is sent to the scammers without the user noticing unless they give him a read. message received. The perfect cycle
Google puts an end to unnecessary access to SMS and call log
Google intensifies the permissions in the Google Play Store in order to cut off the unnecessary access to SMS and telephone call log.
Trend Micro alert in your report how this practice works and what applications you were using it. Directed to the Spanish public, and offering on its Google Play tab the stolen interface of banks as BBVA, Bankia or EvoBank, They scammed users who downloaded them thinking they were from their bank. Once installed the applications worked in the background thanks to the device ID permissions, phone access and SMS; monitoring user communications to send them with the idea of confirming banking operations performed by scammers.
The applications denounced by Trend Micro are no longer on Google Play, but that does not mean that we can be calm: as we have personally verified, it is an extended tactic within the store.
We check how applications that seek to confirm unrealized purchases work
Looking in the Google Play We have not found it difficult to find apps that replicate what was reported by Trend Micro. This is the case of the developer CoderzValley Pvt. Ltd: this has two apps that mimic the appearance of BBVA and ING Direct.
Initially created as games, they were published on Google Play on October 18. The process they have followed is as follows:
- The developer publishes applications that have nothing to do with the ultimate goal, supplant bank apps.
- Seeking to capture the least number of unsuspecting and positive ratings for credibility, users download the applications trusting that they are harmless.
- The apps have the following permissions: full access to SMS, access to phone, access to device ID, full internet access.
- Once they have credibility, downloads and ratings, the developer changes the screenshots and icons of the Google Play to look like those of the banks he seeks to impersonate.
- The bank user downloads them thinking they are official: they look like real ones and have a good rating.
- The developer makes purchases with the cards waiting for their apps to read the authorization SMS and send them the codes to authenticate the purchases.
Not only do we have to be extremely cautious with what we install, also we have to protect people who have less idea of technology. Let's show how to contrast all applications before installing them, how to monitor which permissions are appropriate for those applications, let's demonstrate how to discover the false intentions of developers. Despite the efforts Google can not fight with the tens of thousands of apps that are uploaded every day to the Play Store.