This week a malware App, called BankMirage, appeared on Google Play. This App targeted the customers of an Israeli bank called Mizrahi Bank. Lookout has reported to have first notice the App on Google Play and alerted Google regarding the malware. According to Lookout the malware authors put a wrapper around the Mizrahi Bank’s legitimate App, already available on Google Play store. After wrapping their malware around the original App they redistributed it on the Google Play store by giving its introduction as a banking and financial App for Mizrahi Bank.
The cloned App was available for a couple of day before Google removed it. The cloned App which was a malware surprisingly only users credentials and not their password. Lookout is not certain why it behaved so.
The App when available on Google Play was download quite a few times. Once a victim installed and opened the App, the malware would load the login form. This login form would be in-app html page that would appear to be very similar to the original banking App interface. However it had been changed to siphon off the victim’s user ID’s as they enter their credentials. It’s effectively a phishing attack and many would have fallen prey to it but effectively without stealing passwords. The motive behind this strange behaviour is not known. Lookout found a code which pointed to the fact that those who built the malware inserted a comment into the code dictating that only the user ID be taken, not the passwords.
After the victim entered the user ID, the App stored the same and returned a message to the user saying that the login failed and to, instead, reinstall the legitimate banking app from the Play Store. Google immediately remove the App after being notified. If you are in doubt about the legitimacy of your Banking App kindly download the App from the Google Play link put up by the Bank on their HTTPS website.