Adoption of digital banking has been frantically increasing in India and so have instances of fraud.
The latest threat to come to light is the presence of fake banking apps on the Google Play store that may have compromised the data of nearly 160,000 people, Global IT security company Sophos Labs said on Oct. 22.
The bogus apps of several Indian lenders made their way to the Google Play store in the last few months.
These fraudulent apps have been primarily targeting the users of seven banks—State Bank of India (SBI), ICICI Bank, Indian Overseas Bank, Axis Bank, Bank of Baroda, Yes Bank, and Citibank. Some of these apps also had a generic interface, serving customers from multiple banks. This may have compromised data from customers of 25 other banks, too, claims Sophos.
Emails sent to the seven banks from Quartz have elicited no response so far. However, YES Bank had earlier told the Press Trust of India that it has informed its cyber fraud department about the issue. Citibank, on the other hand, has denied that it has been impacted and has written to Sophos to strike out its name from the report.
Lured by promises
Sophos says many customers were lured into using the fake apps. “Many of these apps lured victims into downloading and using them by promising rewards such as cash back on purchases, free mobile data, or interest-free loans,” said Pankaj Kohli, threat researcher at Sophos Labs. A few others offered dubious services such as a promise to withdraw money from the customers’ accounts and then deliver the cash right to their doorstep.
Most of these fake apps were a close copy of the real banking apps or electronic wallets, and tried to mimic the names or graphic design of existing apps.
Some other apps had also used the image of prime minister Narendra Modi or Bollywood star Amitabh Bachchan to lure customers, Sophos Labs said.
Security breaches at Indian banks have happened in the past, too. In 2016, in one of the biggest ever breaches of financial data in India, credit and debit cards of 3.2 million banking customers were compromised. This was caused by a malware in the systems of Hitachi Payments Services, which runs and manages ATM networks. Ninety of Yes Bank ATMs that were managed by Hitachi were affected and data from cards used at these ATMs were stolen.
The recent malware case comes at a time when mobile banking transactions have been on the rise. Between 2015 and 2017, digital payment transactions have grown at an average annual pace of more than 50%, and instances of data thefts like these can be a huge deterrent.
“To avoid falling prey to such malicious apps, Android users should verify the developer publishing the app. Users should pay close attention to the user rating and read user reviews before installing such apps, even when downloading apps from trusted app marketplaces,” recommends Kohli.
Want to read more from Nupur Anand? Subscribe to Quartz Private Key—Quartz’s premium crypto newsletter, delivered twice weekly.