Case in point: Researchers from security PhishLabs recently discovered as many as 11 apps on Google Play posing as clients for popular payment services, which in reality were phishing scams, largely created by a single group of attackers.
The apps act like any other phishing scam — that is, they load websites that look just like pages from payment companies, but when you enter your username and password, that information is handed right over to the attackers. The pages are loaded within the app itself, so you don’t see the URL, but just the page itself. In case you could see the URL, however, the attackers have, in some cases, registered domains that could be easily mistaken as domains from their target companies.
While PhishLabs did not specifically name which apps were targeting users, it did offer a piece of advice: most payments companies, like PayPal, provide links to their apps from their official website. Following these links to download the app is always better than manually searching for an app on Google Play.
“In one case, a targeted company explicitly states on their website that no mobile application exists for their company and that users should be wary of any mobile application using their brand,” said Joshua Shilko, PhishLabs Security Threat Analyst, in a blog post.
A related issue is how long it takes for apps to be removed from Google Play — even if an app is found to be a scam and reported, it can take a number of days for Google to actually remove the app, during which time more people could fall for the scam. Not only that, but if one app is able to bypass Google’s review process and is then removed after being reported, it’s possible that those behind the scam could simply submit another app.
