SYDNEY (Reuters) – Customers of six banks including two of Australia’s largest lenders have had their personal details stolen by fake banking apps on the Google Play store, an internet security firm said.
Slovakian-based security software firm ESET said the official-looking apps had been downloaded over a thousand times since they were uploaded to the Google Play store in June.
In addition to Australia’s Commonwealth Bank and Australia and New Zealand Banking Group, banks in Britain, New Zealand, Switzerland and Poland were targeted, the firm said in a blog post.
The scheme was likely to have been the work of a single attacker, it added. The banks’ own apps and systems were not compromised.
“These groups are involved in phishing, obtaining your log-in credentials for your bank, or your credit-card information and in some cases both,” ESET researcher Nick Fitzgerald told Reuters from Christchurch in New Zealand on Thursday.
A Google spokeswoman declined to respond to questions about the scam, saying the company did not comment on individual apps.
Once downloaded, the fake apps asked customers for personal and banking details, including credit-card information and banking log-in details, ESET said.
After sending the data to the attacker’s server, the app would show messages saying “Congratulations” or “thank you” and end.
An ANZ spokeswoman said a customer alerted the bank to the fake app in June.
“We worked closely with the Google Play team to have the app removed in a few hours,” she said.
Commonwealth Bank declined to comment.
A spokeswoman for Auckland Savings Bank, which is owned by Commonwealth Bank, said customers alerted it of the scam in mid-May and immediately asked for the fake app to be taken down.
“No customers lost money as a result of this issue,” she said.
ESET did not say precisely how many people had been affected by the scam.
Reporting by Paulina Duran; Additional reporting by Charlotte Greenfield; Editing by Stephen Coates