IBM uncovers Android banking vulnerability; consumers turned off by security fears

IBM uncovers Android banking vulnerability; consumers turned off by security fears

One-in-ten banking apps are wide open to a malicious drive-by hacking exploit that exposes user credentials when visiting bug-laden websites.

The vulnerability - discovered by the IBM Security X-Force Research team - lies in Android applications built on the Apache Cordova (previously PhoneGap) platform. According to AppBrain, this affects 5.8% of all Android apps and roughly one-in-ten mobile banking apps.

The Apache Cordova vulnerabilities enable Cross-Application Scripting - the execution of a malicious JavaScript code - which can occur when users unwittingly browse an infected website.

Says IBM: "Due to other vulnerabilities that we have detected within Cordova, such code can exfiltrate information back to the attacker, such as their login credentials, allowing attackers to impersonate them, access their accounts and even make purchases on their behalf."

IBM has privately reported the vulnerabilities to the Cordova team, which has released patches for the latest Cordova version 3.5.1.

News of the exploit comes as new research among 2000 UK adults by Intercede, found that 53% of consumers would never use mobile banking services, due to security fears. The survey also found that half avoid money transfer apps, and almost a quarter (24%) would not feel safe shopping on their handsets.

When asked why they were so concerned, respondents cite a lack of trust in current mobile login and authentication options, and worries about identity theft. One respondent said, "I must be confident only I will be able to log in and use them [apps] - at this stage, I just don't trust apps, especially financial ones," while others commented, "I don't want anyone to steal my phone and be able to access my money," and "apps are too hackable".

Comments: (1)

Hitesh Thakkar
Hitesh Thakkar - SME - Fintech startups (APAC and Africa) - India 08 August, 2014, 16:44Be the first to give this comment the thumbs up 0 likes

Sample size of Survey is very low - 2000 and vulnerablity as per IBM and Apache is taken care. There is no direct connect as there is no possibility that, all 10 Android applications are developed using PhoneGap or similar cross platform development tools (e.g. Xamarin)

Considering such disconnect, still survey reflects low confidence due to lack of multi factor authentication methdology. Players like Jumio also has raised similar vulnerability report for ID Theft.