Bank app users warned over Android security

News 28 Feb, 2013

Mobile banking on Android smartphones could put consumers at risk of fraud and cost banks millions.

Mobile apps provided by mobile operators and handset manufacturers could put expose phone users to fraud, according to research carried out by an IT security company.

MWR Labs investigated the security standards of Android mobile phone brands to determine the overall exposure to risk of consumers who use mobile banking.

It said that its results indicated that on some handsets as many as 64 per cent of manufacturer added applications were exposing users to serious security issues.

The company looked at six classes of potential vulnerabilities in apps and packages in the leading brands and mobile phones using a modified version of Mercury, its security testing framework, to automatically scan the devices and identify security weaknesses.

The research discovered security vulnerabilities in software added by phone manufacturers or network providers which could be targeted by a malicious application inadvertently downloaded by the user.

These weak apps often have more permissions that allow them to access contacts, make telephone calls and even record the content of those calls, meaning that the potential consequences are serious and sensitive data could be compromised. Other applications were found that allowed further apps to be installed with an arbitrary set of permissions, essentially leaving consumers fully exposed to fraud.

“We found that while banking apps were generally well written and had very few security issues, the integrity of consumer phones was often compromised by software provided by the phone manufacturer or additional software added by the network provider, exposing online banking customers to potential fraud," said MWR's managing director Harry Grobbelaar.

“Some of the leading Android handset manufacturers are already looking at shipping mobile devices with native near-field communication (NFC) payment functionalities but if the software in the phones is not secure, the risk will then be even higher," he said.

He said that as more businesses use smartphones as mobile point-of-sale devices, these devices will become critical in the payment chain and if not adequately protected could "introduce additional risks for card fraud that could cost banks millions a year."

Grobbelaar added that there were many examples of malicious apps sending premium rate text messages and expected there will be a "natural progression" to higher value areas such as payments and banking.