14 DAY TRIAL // A malware writer succeeded in getting a rogue phishing application listed on the Android Market website. The software posed as a shell for mobile-banking applications, but, instead, was being used to steal online banking credentials.
According to an alert issued by Travis Credit Union (TCU), the rogue piece of software was posted on the Android application store during the first week of December by a developer called 09Droid. "Your mobile device may be at risk if you downloaded an application provided by 09Droid from the Android Marketplace; applications from 09Droid are NOT an authorized or legitimate downloadable application for TCU Mobile Banking," the credit union stresses. The credit union chose to notify its customers via its website, Facebook page and e-mail, even though its services were not targeted by the rogue application.
A similar warning was issued by the First Tech Credit Union, which states that the application tries to steal financial information from consumers, for the likely purpose of identity theft. The financial institution recommends that affected users take their phone to their mobile operator in order to make sure all traces of the malware are removed.
Android is an open source operating system for mobile phones, based on the Linux kernel. Development efforts are being coordinated by a consortium of companies known as the Open Handset Alliance, which includes big names such as Google, Intel, HTC, NVIDIA, Motorola, LG, Samsung, T-Mobile, Sprint, Sony Ericsson, Vodafone.
The operating system has recently seen a spike in popularity with the release of Google's Nexus One phone, a clear contender for the iPhone. The Android Market is the equivalent of the iPhone App Store, but the application screening is apparently not as strict as on Apple's platform. There are currently over 22,000 applications available on the Android Market.
The two credit unions have made it clear that they currently do not develop or support a mobile banking application and that their customers can continue to securely perform online banking operations through their Web browser's interface. However, Graham Cluley, senior technology consultant at Sophos, notes that this points to a future attack vector. "As more and more users inevitably take advantage of smartphones to access their bank accounts in the future, the temptation for hackers to exploit systems may become greater," he writes.
Correction: The article has been updated to clearly reflect that this threat did not affect the members or services of Travis Credit Union.