22 January 2015
Eleven percent of the payment apps available globally for Android phones and tablets contain malware or suspicious binaries, according to RiskIQ, a company that helps organizations maintain the integrity of websites. It found that 40,000 of the 350,000 apps which reference banking had security issues and another 40,000 contained dangerous permissions.
Mobile banking presents a lucrative opportunity for criminals to commit fraud, said Elias Manousos, CEO of RiskIQ.
“One of the easiest ways to steal a victim’s login and other personal information is using malware and apps with excessive permissions. These findings show that criminals are using look-a-like banking apps to distribute malware and capture data on the device in order to commit crimes.”
Every country has at least one Android app store and most device makers have a store as well. RiskIQ works with banks to identify apps that can cause problems for their customers, he said. Apple operates a closed ecosystem and checks apps before they go up in its one official App Store, so it doesn’t face the security problems Android does.
Consumers should avoid downloading apps from advertisements or email, he said.
“You should really look at the author of the mobile application and the reviews and the other meta data that are available in the store and cross reference that with common sense,” he added.
RiskIQ works with banks to eliminate the problem so that mobile customers won’t have to download and update anti-virus software as they have done with PCs.
Phone owners should also make sure their children understand how to download apps safely so they don’t put the family’s accounts at risk.
Banks can protect their consumers who use a bank’s own mobile application, but many people want to use third party apps like Intuit or Mint for budgeting, he said. Go with a company that has a good reputation and has been around for awhile, he advises.
Mobile operators are doing more to protect consumers, he added.
“But anytime there is a way to make money it is a little bit of a cat and mouse game. As the brand owner, you have to take the first steps to protect your brand. That doesn’t solve the problem globally, but it does protect your brand and move the bad guys elsewhere.”
The RiskIQ platform continuously monitors mobile application stores and websites using software agents that emulate human behavior to detect suspect applications, application tampering and brand impersonation.
In the wake of the Target security breach, the company built a global database of threats against consumers. It also built a threat detection system to determine what is a threat, what is not and when someone needs to take action.
Manousos said the company’s customers are in the global 2000, the top 20 financial services institutions and the top five most used Web sites.
RiskIQ is headquartered in San Francisco and backed by Battery Ventures and Summit Partners.
Source – http://www.forbes.com/sites/tomgroenfeldt/2015/01/21/android-payment-apps-can-be-risky/