Phishing Android App Steals Banking Info


A few weeks ago there was a developer on Android Market named Droid09 who uploaded a malicious application to Android Market. Apparently the dev’s apps POSED as official banking applications but instead were just “shells” with the purpose of stealing your personal information and banking logins/passwords.

first-techThe rogue application was outed by First Tech Credit Union whose customers I assume were amongst the first victims of the fraudster responsible for the debacle. But First Tech customers weren’t specifically targeted, so everyone out there should double check what apps they have installed and especially check for anything from Droid09.

The application was removed from Android Market but probably not before a few people got burned. While Apple’s app review process for the iPhone has been heavily criticized/scrutinized, Google’s more open approach isn’t perfect either. Apple may be “better safe than sorry” whereas Android allows the user to determine what is safe and what isn’t.

Make sure you do your research before download and using any application or game and DON’T FORGET to check the permissions that each application asks for access to!

I’d also love to hear what steps Google took after the application was identified as a Phishing application. Did they simply delete the app from the market? Did they ban the developer? Did they fine him? Are they pursuing legal action? Having a global ecosystem makes the more harsh punishments difficult to pursue, but ill-willed developers would be less likely to play the scam game if they knew there were repercussions.

[First Tech Credit Union via Slashdot, Engadget Mobile]

Rob Jackson
I'm an Android and Tech lover, but first and foremost I consider myself a creative thinker and entrepreneurial spirit with a passion for ideas of all sizes. I'm a sports lover who cheers for the Orange (College), Ravens (NFL), (Orioles), and Yankees (long story). I live in Baltimore and wear it on my sleeve, with an Under Armour logo. I also love traveling... where do you want to go?

Problems With Nexus One 3G Connection?

Previous article

Nexus One Voice Quality Victory Via Audience A1026 Voice Processor

Next article

You may also like


  1. That developer (thieving piece of crap) put up banking apps for 20 or more different banks. It looked a little scary to me when I saw how many he had put up. I hope there weren’t too many takers on his apps.

  2. This is a pretty major concern. How are we (as users) supposed to determine if a program has ill intentions or not? I know there are a few obvious things to look out for (and I won’t delve into them here because I think anyone reading this knows them). But what about the app that someone spends a little more time on? It looks nice, has decent (albeit probably not very many) reviews and requests access to the parts of our phone that we would assume an app of its type would need to use? There’s no “requesting access to personal info for malicious use” notification to accept or reject. Any banking application would request access to the internet whether out for good or evil. We can’t read the source code for these apps to see what’s going on.

    I guess “don’t be an early adopter” works (fairly) well, but even today, most of us Android wielders are still considered to be of the early adopter type (especially those of us that still have a G1 kicking around the house somewhere).

    I hope Google finds a way to keep things open and free while still secure and save.

  3. Effe. That they better do something about
    It,in my opinion this is something that
    Could cause Google a lot of money. this does.
    Not look good with a new phone just out .

  4. @paladaxar
    Common sense, with a small dash of paranoia should work pretty well.. Even then it’s possible to get burned, but if they applied it, I doubt anyone would have downloaded such an app. When I decided I wanted access to my banking on the phone, I checked at my bank first to see what they offered, I didn’t look to Market. My banking is between me and my bank, and they have an interest in seeing that I don’t get ripped off. So I trust them a wee bit more than “some guy” with a name like droid09.. I doubt you will ever be able to totally protect people who would fall for something like this.. the same thing could be done with other phishing techniques.

  5. @jae.
    Is. That

  6. @Dennis
    I’m not saying that I would get taken by this scam…or 99% of them out there. The “common sense” thing is what I was referring to when I said “there are a few obvious things to look out for”. I didn’t go into the details of what I look out for because I think most of us here already are quite versed in them. But, lets not forget a few malicious programs here and there are made by people as smart or even much smarter than we are. There are a few criminals out there that know that using a name like “Droid09” or launching 20 bank apps at the same time or using logos that are even a little bit off are not the way to get this job done.
    If some type of system (even third party) isn’t implemented soon, even you sir could be taken by one of these scams at some point. And even if you come out squeaky clean without ever falling prey to one of these scams, it might not matter if the OS we all hold near and dear to our hearts isn’t around any more because enough (of those other silly) people got scammed and fled.

  7. Yeah I agree common sense is a needed thing in this…however we android users should all be protected…regardless of common sense being used

  8. If you are stupid enough to download a banking app from a third-party and enter your account & password into it, you deserve to have all of your money taken. It is probably in your best interest, since you obviously have serious mental deficiencies and need someone to keep you from injuring yourself.

  9. @AnonCow – couldn’t have said it better. At the end of the day, Android is still a nerd product,and it will take a long time yet for this to change.
    Maybe Google will need a much tougher / scrutinized application market for general consumption, and then another for the people that do research.

  10. There is a system in place.. It’s called looking out for each other. It is in fact a big part of what open source is all about. This scam was easily found and removed. I don’t have too many worries over the mass exodus of users fleeing.. In fact history is against such a thing when you look at the Windows world as an example. As a Linux user, I would like it very much if there was a layer in between developers and making it available. With Linux, you have experimental, testing and stable levels of software.. It would behoove Google to create such a buffer of volunteers to vet apps.. However lacking such a thing, I have to use my best judgment, and rely on my peers.

  11. I am super paranoid with my computer (comes from being in IT for a long long time). I trust nothing. I had already figured out the google market was more of a jungle then iphones, but I wouldn’t give up the open source.

    Just be paranoid.

  12. Google has a massive banish program going on where they have permanently banned thousands of advertisers who are running AdWords campaigns which they consider scams. I know of people spending huge 5 figures per month with Google that were categorically banned, supposedly without recourse or appeal.

    And those who were banned and thought they could simply re-open new accounts with new names, credit cards and IPs were easily caught with Google AI algorithms (since this was obviously the bad guys’ next move).

    I see no reason Google couldn’t use that same AI to permanently ban those criminals (or at least make it a lot more difficult) so they can’t get into the marketplace again.


  13. IMO, what needs to happen is Droid09 needs to be hunted down and prosecuted to the fullest extent. 10-20 years in prison – a mandatory sentence. That’s the first step. The second step is pretty obvious to most by now: Any program that requires the user to give up sensitive information should be scrutinized.

  14. Don’t put a password from one location into another (and that means don’t reuse passwords). I was hesitant to put my password into one of the Net Flix programs…why would anyone put their bank password anywhere? Maybe people should be required to take a competence test before they can download an application.

  15. And what was the name(s) of the software?

  16. ha ha people are so dumb. if the banking app your downloading isn’t provided on your banks website. houston we have a problem. but the people deserved to get scammed for not asking thier bank first.

  17. why do you need an application for banking? why dont you just go onto your banks website?????????????

  18. Regardless of fair judgement, common sense or even pure paranoia — Android users should have been given a bit more protection. Clearly little to no vetting process was employed as we do here at VeriSign with extended validation SSL implementation. And any program that requires the user to give up sensitive information should be scrutinized to some degree.

  19. So this should make Google aware that some precautions need to be taken. I personally would like something that shows you the most credible, safe apps first in searches. I noticed that while playing around in the market that searching for something as harmless as youtube brought up anything BUT youtube. this could be just as bad or worse when looking for apps that share private information. Perhaps there should be “secure apps” that have been screened for malware, spyware, and viruses, or at least certified by Google so that users know “ok if I download this app it’s not going to screw me for everything I’ve got.” It was bound to happen with loose controls on the system. However, I think that we can still have a very free and open system while having security as well…is it too much to ask for both?

  20. actually there should be zero tolerance for requiring personal info such as banking info unless created and submitted through a hefty screening process.

  21. When I want to do banking, I use an app on my phone called “Dialer”… and I connect to my bank’s phone system. It’s no slower and much more secure.

  22. What someone else said about paranoia with a dash of common sense seems like very good advice. I’ve had it less than a week but if someone were to take over my Droid the most they would get is a short history of websites visited, my phone number and my contacts.

    My bank would have to do some serious selling and insurance against fraud before I would even think of putting that type of data on my phone. A 3rd party app doesn’t stand a chance even if it is legit.

    Chase (I usually don’t name names, but in this case I will) claimed they didn’t receive my Visa payment TWICE within 6 months of them taking over my old bank.

    It was the first time in 25 years the postal service ever “lost” a check I had mailed to a creditor. The first time I let it go and they rescinded $80 in late fees and interest.

    The 2nd time it happened they refused to forgive late fees and charges even though I had money in my checking and savings accounts that I transferred to cover the entire bill immediately (not just minimum payment). The customer DISservice representative kept telling me I
    should “not put myself in that position” – that is trusting that the US Postal Service would deliver my payment even though they’ve been doing it for 25 years and the only checks they’ve ever “lost” were sent to Chase for Visa card payments within the last 6 months – both were mailed with other bills that all reached their destination.

    Sorry Chase – you are a scam artist like all the rest. This is why I am a former customer. I will NOT put myself in the position of trusting you ever again.

    These huge institutions end up hurting themselves in the long run. The reason I am a Verizon customer is because another major wireless company told me I could roam as much as I wanted to and so I did – then they sent me a bill for 10 times the amount I expected (over $500) and the increase was all due to roaming charges.

    Several of their customer reps told me they could make an adjustment but they never did.

    I never paid the bill – I sent certified letters to them asking for arbitration. They never responded. I really wonder what they sold the debt for – it was probably less than I was willing to settle for. Instead I’ve been paying Verizon $50-100 a month for the last 8 years. Do the math – AT&T screwed themselves by trying to screw me.

    Verizon isn’t perfect. I’ve had a couple of disagreements with them but they’ve been minor enough or settled well enough that I can’t even recall what they are now. OTOH AT&T is on my “never do business with again” list.

  23. @AnonCow — as much as it might not be the wise thing to do, no one deserves to have their money taken away from some scum bag.

Leave a reply

Your email address will not be published. Required fields are marked *

More in Apps