{
	"id": "a9facd39-cd0f-4234-a248-062cd3efe425",
	"created_at": "2026-04-06T00:16:50.380235Z",
	"updated_at": "2026-04-10T03:30:33.510074Z",
	"deleted_at": null,
	"sha1_hash": "75674ead901353467a3d7ae0f126c1aa8f82c524",
	"title": "Fake finance apps on Google Play target users from around the world",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 943910,
	"plain_text": "Fake finance apps on Google Play target users from around the\r\nworld\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 15:07:15 UTC\r\nScams\r\nCybercrooks use bogus apps to phish six online banks and a cryptocurrency exchange\r\n19 Sep 2018  •  , 3 min. read\r\nAnother set of fake finance apps has found its way into the official Google Play store. This time, the apps have\r\nimpersonated six banks from New Zealand, Australia, the United Kingdom, Switzerland and Poland, and the\r\nAustrian cryptocurrency exchange Bitpanda. Using bogus forms, the malicious fakes phish for credit card details\r\nand/or login credentials to the impersonated legitimate services.\r\nhttps://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/\r\nPage 1 of 8\n\nhttps://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/\r\nPage 2 of 8\n\nFigure 1 – Six of the malicious apps found on Google Play\r\nThe malicious fakes were uploaded to Google Play in June 2018 and were installed more than a thousand times\r\nbefore being taken down by Google. The apps were uploaded under different developer names, each using a\r\ndifferent guise; code similarities, however, suggest the apps are the work of a single attacker. The apps use\r\nobfuscation, which might have contributed to their slipping into the Store undetected.\r\nThe sole purpose of these malicious apps is to obtain sensitive information from unsuspecting users. Some of the\r\napps take advantage of the absence of an official mobile app for the targeted service (such as Bitpanda), while\r\nothers attempt to fool users by impersonating existing official apps. The full list of targeted banks and services can\r\nbe found at the end of this article.\r\nHow do the apps operate?\r\nWhile the apps don’t follow one common procedure, upon launch they all display forms requesting credit card\r\ndetails and/or login credentials to the targeted bank or service (examples can be seen in Figure 2). If users fill out\r\nsuch a form, the submitted data is sent to the attacker’s server. The apps then present their victims with a\r\n“Congratulations” or “Thank you” message (an example can be seen in Figure 3), which is where their\r\nfunctionality ends.\r\nhttps://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/\r\nPage 3 of 8\n\nhttps://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/\r\nPage 4 of 8\n\nFigure 2 – Bogus forms phishing for credit card details and internet banking login credentials\r\nhttps://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/\r\nPage 5 of 8\n\nhttps://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/\r\nPage 6 of 8\n\nFigure 3 – Final screen displayed by one of the malicious apps\r\nHow to stay safe\r\nIf you suspect that you have installed and used one of these malicious apps, we advise you to uninstall it\r\nimmediately.\r\nAlso, change your credit card PIN codes as well as internet banking passwords and check your bank accounts for\r\nsuspicious activity. If there have been unusual transactions, contact your bank. Users of the Bitpanda\r\ncryptocurrency exchange who think they have installed the fake mobile app are advised to check their accounts for\r\nsuspicious activity and change their passwords.\r\nTo avoid falling victim to phishing and other fake financial apps, we recommend that you:\r\nOnly trust mobile banking and other finance apps if they are linked from the official website of your bank\r\nor the financial service\r\nOnly download apps from Google Play; this does not ensure the app is not malicious, but apps like these\r\nare much more common on third-party app stores and are rarely removed once uncovered, unlike on\r\nGoogle Play\r\nPay attention to the number of downloads, app ratings and reviews when downloading apps from Google\r\nPlay\r\nOnly enter your sensitive information into online forms if you are sure of their security and legitimacy\r\nKeep your Android device updated and use a reliable mobile security solution; ESET products detect and\r\nblock these malicious apps as Android/Spy.Banker.AIF, Android/Spy.Banker.AIE and\r\nAndroid/Spy.Banker.AIP\r\nTargeted banks and services\r\nAustralia and New Zealand\r\nCommonwealth Bank of Australia (CommBank)\r\nThe Australia and New Zealand Banking Group Limited (ANZ)\r\nASB Bank\r\nThe United Kingdom\r\nTSB Bank\r\nSwitzerland\r\nPostFinance\r\nPoland\r\nBank Zachodni WBK (renamed to Santander Bank Polska SA in September 2018)\r\nhttps://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/\r\nPage 7 of 8\n\nAustria\r\nBitpanda\r\nIndicators of Compromise (IoCs)\r\nPackage name Hash Detection\r\ncw.cwnbm.mobile 651A3734103472297A2C65C81757FB5820AD2AB7 Android/Spy.Banker.AIF\r\nau.money.go DE09F03C401141BEB05F229515ABB64811DDB853 Android/Spy.Banker.AIF\r\nasb.ezy.pay B6D70983C28B8A0059B454065D599B4E18E8097C Android/Spy.Banker.AIF\r\nuk.mobile.tsb 91692607FB529218ADF00F256D5D1862DF90DAAF Android/Spy.Banker.AIF\r\nch.post.finance FE1B2799B65D36F19484930FAF0DA17A0DBE9868 Android/Spy.Banker.AIF\r\npl.mblzch C43E7A28E1B807225F1E188C6DA51D24DCC54F5F Android/Spy.Banker.AIE\r\nwww.bit.panda 7D80158C8C893E46DC15E6D92ED2FECFDB12BF9F Android/Spy.Banker.AIP\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/\r\nhttps://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/"
	],
	"report_names": [
		"fake-finance-apps-google-play-target-around-world"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434610,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/75674ead901353467a3d7ae0f126c1aa8f82c524.pdf",
		"text": "https://archive.orkl.eu/75674ead901353467a3d7ae0f126c1aa8f82c524.txt",
		"img": "https://archive.orkl.eu/75674ead901353467a3d7ae0f126c1aa8f82c524.jpg"
	}
}