bit-tech.net

Banking trojan hits Android

Published on 11th January 2010 by Gareth Halfacree

Banking trojan hits Android

All applications published by user 'Droid09' have been removed from the Android Market after a banking trojan was uncovered.

A malicious application has been removed from the Android Market after it was discovered that it attempted to steal banking details from customers of the First Tech Credit Union.

As reported on the First Tech Credit Union website - via Slashdot - the application, uploaded by a user calling himself Droid09, posed as a useful utility for managing accounts on Android-based mobile devices. While at first glance the application seemed legitimate - and there are mobile banking applications available for the platform - it turned out to be the work of a fraudster who used the application to harvest online banking details.

While the attack wasn't aimed specifically at the First Tech Credit Union, which was founded in 1952 by employees of the Tektronix corporation, the credit union was the first to officially denounce the application - and to alert Google that it should be removed from the Market.

While all of the applications uploaded by Droid09 have been removed since the alert went out, many are seeing the attack as an inevitable consequence of the openness of the Android platform: unlike the iPhone App Store, which has a rigorous vetting process which helps to prevent malicious applications from being made available, the Android Market has far fewer restrictions and is open to anyone who is willing to pay a $25 fee to become a publisher. While this provides more flexibility, it also provides a channel for attacks - as exploited by user Droid09.

So far there has been no comment from Google on how - or if - it plans to prevent this kind of occurrence in the future, without jeopardising the freedom offered to Android developers.

Are you surprised it's taken this long for a truly malicious application to hit the Android platform, or does this justify Apple's approach to application security? Share your thoughts over in the forums.

15 Comments

Discuss in the forums Reply
eddtox 11th January 2010, 14:49 Quote
It was only a matter of time before it happened. It's worrying that the delivery vector was the Android Market, but not surprising. People assumed they were safe, now they know they are not and hopefully will be more careful about what apps they download.
wiak 11th January 2010, 15:04 Quote
lol nothing new here, move over (hint: windows and the interwebs)
bladerunner168 11th January 2010, 15:27 Quote
I know, I'm old school. I like to play Borat quotes loud on my HTC Hero, I also like to play Mr T quotes. I also like the barcode scanner app which then checks prices on froogle. But there is NO WAY I would do my banking on mobiles, NO WAY, NO WAY :'(

I still do my banking at the branch
leveller 11th January 2010, 16:06 Quote
Quote:
Originally Posted by eddtox
It was only a matter of time before it happened. It's worrying that the delivery vector was the Android Market, but not surprising. People assumed they were safe, now they know they are not and hopefully will be more careful about what apps they download.

1) I think it is pretty cool you managed to slip the words "delivery vector" into your post. Gave me an instant feeling of reading a sci-fi novel.

2) Is it really possible for people to be careful? I seriously have no interest nor knowledge of the Android stuff but if the freedom to create and submit anything exists ... I can imagine what sort of coders will be attracted to the phone.
StephenK 11th January 2010, 16:49 Quote
Guess it was bound to happen sooner or later. Maybe we'll see some sort of vetting system in future to try and cut down on this sort of thing.


(Off Topic: What is with henrinaiara's posts? Do we have a bot in our midst? )
smoothie 11th January 2010, 18:10 Quote
In the Android Market, the only way you can really be careful about which apps you download is to first read the reviews of the apps that exist on their description pages. People who comment on apps usually post any problems with the app, and suggestions on how to make it better, or if there's a better app on the market. For decent apps, the devs will also post comments to let users who check for updates know which problems they're working on. However, if an app appears to be working correctly, and then suddenly turns malicious, you'll have little warning.

Kind of reminds me of this story (last page of article is most relevant, but the article isn't too long): http://http://www.cosmosmagazine.com/fiction/print/41/the-many-body-problem?page=0%2C0
Nexxo 11th January 2010, 18:14 Quote
Quote:
Originally Posted by leveller
1) I think it is pretty cool you managed to slip the words "delivery vector" into your post. Gave me an instant feeling of reading a sci-fi novel.
+1. Added it as a tag. :D
eddtox 11th January 2010, 18:20 Quote
Quote:
Originally Posted by leveller
1) I think it is pretty cool you managed to slip the words "delivery vector" into your post. Gave me an instant feeling of reading a sci-fi novel.

2) Is it really possible for people to be careful? I seriously have no interest nor knowledge of the Android stuff but if the freedom to create and submit anything exists ... I can imagine what sort of coders will be attracted to the phone.

Hehe glad I could help ;)

Like you, I have no interest in the android platform, but I think it's time people began to treat mobile apps with the same care/suspicion they treat pc apps. As more information passes through/ is stored on mobile phones, more and more malware will target them. Especially where there are a huge number of people on the same platform Ie Android, iphone

@smoothie: awesome-scary
shanky887614 12th January 2010, 10:35 Quote
isnt online banking for thick people?

do you guys hinestly know how weak wifi encryption is it takes 5mins to crack wep and under an hour to crack wpa so its no suprize and its a gadget you are still suposed to use your brain
its like a satnav you have to be pretty thick to drive into the channel when you select lodon to pariss on your satnav
ch424 12th January 2010, 10:50 Quote
Quote:
Originally Posted by StephenK
Guess it was bound to happen sooner or later. Maybe we'll see some sort of vetting system in future to try and cut down on this sort of thing.

No. I'd much rather have the freedom to let people write trojans if they want. Android already gives the user a list of what an app is allowed to do when they install it. I'd never trust an app that says "let me remember your passwords for you!! :) :)"
Quote:
Originally Posted by shanky887614
isnt online banking for thick people?

do you guys hinestly know how weak wifi encryption is it takes 5mins to crack wep and under an hour to crack wpa so its no suprize and its a gadget you are still suposed to use your brain
its like a satnav you have to be pretty thick to drive into the channel when you select lodon to pariss on your satnav

Ummm...? You know that when you connect to a bank website it goes over https/SSL, right? It doesn't matter if you connect over unencrypted wifi, nobody is going to steal your details anyway. When you use an ATM, or use your card in a shop, your details are sent over the internet using the same encryption system. If someone had the resources to crack SSL, they'd do something more than steal $200 from your bank account.
Torwald 12th January 2010, 11:59 Quote
Hmm... Such attempts of stealing bank details could only affect bank accounts where only id/pass is required to send money.
In my country, when you want to make a wire transfer, you have to give some letters from secret password, next password which is sent via SMS and sign all this with your encrypted key (in file @ computer).
Now tell me, what use of my 'details' would such a 'cracker/phisher' have ? He wouldn't even log in to my account...
shanky887614 12th January 2010, 12:20 Quote
yes but what i mean is if they can get on your server/internet they can leave a trojan there to get your details and you guys would be suprised at how easy it is to mask a trojan/virus as a harmless plugin or something else
ZERO <ibis> 14th January 2010, 03:41 Quote
The important thing to take away from this is that it worked only if a user entered sensitive data into the application. It is the consumers responsibility to ensure that the places they enter sensitive data into are secure. Worst case Google adds a warning reminding users to preform their own independent check on an application to ensure that the information they use on that app is secure.
leveller 14th January 2010, 08:09 Quote
This wasn't the only bad app, Google are having to step in to clear up the Android store.
eddtox 14th January 2010, 09:55 Quote
Google can't be expected to ensure that other developers' applications are safe, just like Ms can't be held accountable for Windows malware. History shows us that lowering the barrier to entry for developers helps make platforms more successful. History also shows us that the more successful a platform is, the more likely it is that it will be attacked. The alternative is going the apple route and filtering every single app, but in the long run that doesn't seem to work as well because it becomes more difficult/risky for developers to take up the platform. In the words of a (in)famous CEO , "Developers developers developers" etc.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums

More About...

Custom PC Issue 117

Custom PC Issue 117

3 Issues for just £1
PC Hardware Buyer's Guide August 2012

PC Hardware Buyer's Guide August 2012

Hardware 29 – We are not Server Admins

Hardware 29 – We are not Server Admins