Fake bank apps may have stolen data of thousands, says report

SophosLabs rep Representational image | SophosLabs

Fake apps of SBI, ICICI, Axis Bank, Citi and other leading banks are available on Google Play, which may have stolen data of thousands of bank customers, claims a report by IT security firm SophosLabs.

These fake Android apps have the logos of the respective banks, which makes it difficult for customers to differentiate between the fake and original apps, SophosLabs said.

The SophosLabs report further said that the deceptive malware in these apps may have stolen account and credit card details of thousands of customers.

When contacted, some of the banks mentioned in the SophosLabs report said they have not come across any such fake apps.

However, some banks have started inquiry and also informed the CERT-In—the national nodal agency for responding to computer security incidents.

The fake apps targeted customers of seven banks—SBI, ICICI, Axis, Indian Overseas, Bank of Baroda, Yes Bank and Citi Bank—the report said.

Yes Bank said it has informed the bank's cyber fraud department about the matter.

However, a response from SBI, the country's largest lender, was awaited. There were no immediate comments from ICICI Bank and Axis Bank.

According to the SophosLabs report, the apps lured victims to download and use them, either by masquerading as internet apps or e-wallets, promising rewards, including cashback on purchases, free mobile data or interest-free loans.

Some even claimed to be providing a too-good-to-be-true service, enabling users to withdraw cash from an ATM and have it delivered to their doorstep.

"Deceptive malware may have stolen thousands of Indian subcontinent bank customers' account data or credit card numbers," said Pankaj Kohli, threat researcher, SophosLabs.

Fake apps are not new to Android and this sort of malware will continue to find its way into the Android app store, it said.

"Some are blatant copies of real apps, while a few are much more dangerous as they seed malware and steal data from user accounts. Users should always use antivirus software, which provides malware protection and internet security to keep users protected and stop these fake apps from stealing data," SophosLabs said.