Just over 60% of financial services apps available on the Google Play Store are susceptible to app repackaging or cloning attacks.
Promon collected research from 384 financial services applications, including banking, crypto, merchant, payment, government, and other financial services. It found that 236 of these apps were vulnerable. Of these, 154 were banking apps.
App repackaging allows bad actors to take an existing piece of software, such as a mobile app, and inject their own code on top of the existing source code. This allows them to modify the function of the application and “repackage” it.
As a result, the app can perform additional background tasks outside of its intended functions, such as credential stuffing, where a user’s login information is stolen.
The report also looked at the most downloaded financial services apps. Of these 92 apps, 50% could be successfully modified and repackaged.
Promon also tested the most popular apps within certain regions. Of the most popular apps in the US, Promon found that out of 54 apps tested, 37 (68.5%) were able to be repackaged.
As for the UK, it tested 74 and found 45 vulnerable, while in India 69 apps were tested and 47 were susceptible.
The CyberTech company said that all the susceptible applications shared common ground. All applications lacked components to detect if a repackage had occurred. This omission means that they are vulnerable but there is no way to recognize if the attack has occurred.
Benjamin Adolphi, Promon software engineer responsible for the investigation, said: “For years, Android users have been by far the biggest victims of banking malware. The ease of access provided by the Android SDK has benefited developers, but unfortunately it has not gone unnoticed by many cybercriminals.
“The susceptibility of APK files to tampering should be of great concern to the billions of users within the Android ecosystem who simply want to manage their finances from their mobile device.”
In other CyberTech news, a US Treasury report found that US financial institutions experienced nearly $1.2 billion in costs associated with ransomware attacks in 2021.