CBA, ANZ Customers Caught In Fake Apps Scam
Over a thousand bank customers may have been tricked into handing over confidential information by fake ANZ and CBA apps that went undetected in the Google Play store for weeks`.
The apps, which appeared in June and then quickly disappeared, were spotted by international security group ESET and posted on its website, welivesecurity.com.
ESET says the apps were downloaded and used “more than a thousand times” after they first appeared on Google Play in June 18, and that anyone who used them had risked handing over all their card details and login information, which could then be used to access their online banking services.
ESET has uncovered numerous instances of fake apps used to impersonate banks globally, but for the first time the two Australian banks made its list of the top six. The other four are from banks in the UK, Switzerland and Poland and an Austrian cryptocurrency exchange.
ESET senior research fellow Nick FitzGerald told The Age that the apps were discovered during routine checks and that it was rare for fake banking apps to pass the automated Google Play system.
“The apps use obfuscation, which may have contributed to them slipping into the store undetected. There were code similarities, which suggests the apps were the work of the same attacker. This is a big concern for anyone who may have handed over personal information. The loss of personally identifiable information can result in financial fraud that may affect you for the rest of your life very negatively.”
Neither of the banks was obliged to tell customers at the time because the apps were not directly hacking into the bank’s security, merely impersonating them, which falls outside of the Notifiable Data Breaches Act which was introduced in February this year.
Both banks have claimed that neither of their customer bases were affected due to the strenuous security measures that have in place for such events, yet the apps were still downloaded over 1000 times from an official Google app site.
ESET has comprehensive information on how to avoid phishing scams on its website, the most fundamental point being that bank customers especially should click through onto the supposed website and thoroughly check its validity before passing over information.