CommBank and ANZ customers have been caught up in a fake banking apps scandal, a European security company has revealed.

Fake apps for the Commonwealth Bank and ANZ were among several bogus Android apps that tried to mimic the personal banking apps of six banks in Australia, New Zealand, Britain, Switzerland and Poland, as well as a Austrian cryptocurrency exchange.

The Slovakian security firm ESET wrote in a blog post that the fake
apps were uploaded to the Google Play store in June 2018. They had been installed more than 1000 times before Google was alerted by ESET and took them down.

The purpose of the fake apps is to obtain sensitive information, such as logon credentials and credit card details, from unsuspecting users.

“Some of the apps take advantage of the absence of an official mobile app for the targeted service [such as Bitpanda], while others attempt to fool users by impersonating existing official apps,” ESET wrote.

It noted that the apps were uploaded under different developer names, but there were similarities in the coding, suggesting the apps were the work of one hacker.

When launched, the apps displayed forms requesting credit card details and/or login credentials to the targeted bank.

Once users fill out the form, the submitted data is sent to the hacker’s server, according to ESET.

The apps then present their victims with a “Congratulations” or “Thank you” message, which is where their functionality ends.

CommBank provided a statement to The New Daily that said “security of our customers’ banking details is a top priority” and that “once a suspicious app is identified, we work with the app store to ensure the app is quickly removed or disabled”.

CommBank’s security advice

• Install apps only from official stores, such as Apple’s App Store or Google Play (for Android phone or tablet).
• Check the name of the publisher before downloading the app.
• Avoid installing apps from links received in an email, social media post, text message or a web page that doesn’t look right. The best way to download an app is to go to the store and download it from there.
• Read user reviews and ratings to assess if an app delivers a good experience.
• Many apps collect and send personal data from your phone, including your location and contacts. Keep on top of this by reviewing and managing permissions for each app. On an iOS device, this can be done under the Settings > Privacy function. On an Android device, you can find them under Application Manager.
• Read the terms of any app looking to access your contacts, location or other personal information when you log in using a third party service (such as Facebook or LinkedIn).