Shilko says he is aware of 11 well-designed fraud apps that have slipped into the official Play store, often by mimicking mobile payment sites.
The researcher did not name the affected payment sites and there is no suggestion the companies are to blame. Google is part of the problem too the company can take some time to act on user fraud reports.
He added that these attacks combine traditional, browser-based phishing attacks with the mobile platform in order to create convincing mobile applications. These applications are available to users directly from a trusted location – the Google Play Store.
Victims would likely not be alerted to the same as the user interface and experience is fluid, other than a failure when a users legitimate login credentials do not access accounts. Various iterations of the phishing apps have similar names and attack flow, strongly indicating that a lone attacker or group is behind the scams.
Shilko says building Android apps that are little more than a mobile web page, is a clever tactic for phishers as it targets users who frequent Google Play, avoids email anti-phishing defenses and avoids banks fraud detection mechanisms.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now