Dec 15, 2009
MShift Security Warning: Android
It has come to MShift’s attention that in the first and second weeks of December 2009 a developer using the Android platform has deployed shells of mobile banking applications to try and gain access to banking customer’s financial information. This phishing attack has been launched from the Android Marketplace and is impacting over 50 financial institutions worldwide, including those that currently do not offer mobile banking solutions, much less an Android download.
MShift advises that you inform your customers of this potential phishing threat and direct any of your customers that have downloaded this application from the Android Marketplace that the Android downloadable provided by Droid09 is NOT an authorized or legitimate downloadable application of your institution. We suggest you immediately advise your affected customers to contact your fraud department and to change their log in password via the approved methods for your bank outside of the mobile device.
In addition MShift recommends that the customer immediately removes the application from their phone and takes it into their mobile provider and has the technical team evaluate the phone to make sure the application is completely removed and has not compromised any other applications or records within the phone.
To clarify: the browser-based Mobile Banking solution provided by MShift remains fully secure. Your customers still have secure access to their mobile banking via their Android device, using the mobile browser interface. This downloadable hacking/phishing effort provided by Droid09, represents a transparent attempt to gain access to credit cards and account numbers through the emerging Android platform. MShift recommends that you advise your customers with Android devices to access their bank accounts, or other e-commerce related activity ONLY through the web browser interface, instead of a downloadable application, until the Android platform has been proven secure for financial transactions.
Information Security Team