Yahoo News 
Made in Russia? All of the top 100 Android apps have been hacked - and banking apps are top targets
100 out of the top 100 Android apps have been hacked - and often repackaged with “extra” ingredients such as software which steals private information such as photos and passwords.
More and more of us use our smartphones and tablets for far more than communication - apps allow us to use Android and iOS devices in the workplace, for shopping, and even for banking.
Ofcom predicts that nearly all British households will use a tablet device by 2014.
But a new report suggests that cybercriminals have also focused on mobile - with tests showing that 100 out of the top 100 Android apps have been hacked - and often repackaged with “extra” ingredients such as software which steals private information such as photos and passwords.
Some have been downloaded by unwitting users hundreds of thousands of times - and remain on their devices even now.
More worryingly still, more than half of banking apps have been hacked - 53% of 20 tested on Android and 40% on iPhone.
Such hacked apps can be used as part of hi-tech cyber attacks where an infected PC persuades a bank user to ‘update’ their app - and both the PC and the app reassure them nothing is going wrong, while gangs of thieves empty their bank account.
[How to cut down on 'roaming' data costs on Christmas breaks]
The rapidly spreading Hesperbot Trojan uses exactly this tactic - but users can also fall victim through simple mistakes. Google’s Play store isn’t hand-vetted, unlike Apple’s - as with YouTube, the company removes “bad” content in response to complaints.
Kevin Morgan, chief technology officer at app security company Arxan, which conducted the research, said that on Play, it’s perfectly possible for anyone to upload an app with the name and logo of a real bank - Lloyds, say, or Barclays.
The criminals rely on it remaining there long enough for victims to be snared - and often, sadly, this works.
"During our research we discovered that some of the hacked versions have been downloaded over half a million times,” said Morgan.
[Google lets users create their own Street View locations]
“Mobile financial apps are very fallible,” the report said, “Financial services app owners will commonly deploy on multiple mobile platforms toensure their new mobile services can reach the majority of their total customer base.Evident in this finding, is that these innovative apps are likely targets of hackers as these apps may support monetary transactions. This high-risk category, especially withregards to mobile banking and payment applications, requires extra vigilance.”
The tricks cybercriminals use to lure their victims are getting cleverer - for instance, this year, the eagerly awaited BlackBerry Messenger app for Android appeared on Google Play, bang on the rumoured release date.
There was just one, tiny problem - BlackBerry had announced that the date had changed, and the app was a fake, made by criminals. It was downloaded 100,000 times before it was removed.
The damage these apps can do is also evolving. ‘Fake’ apps often used to make money by subscribing users to premium SMS services, or secretly making long calls abroad - but now, a fake can rifle through a phone for banking information, passwords, and even control the phone’s camera.
[Apple iPhone 6: Release Date, Specs, Price, Rumours - Everything You Need To Know]
Users of older and cheaper Android phones are most at risk - even if there is a known security flaw, they will often not receive a “fix” from their network, due to the huge number of different phones, networks and versions of Android out there.
In China, where most phone users rely on Android, the number of malicious progams has multiplied by 25 times in less than two years, including “spyware” designed to steal information. The trend for people “bringing their own” phones to work makes mobiles even more attractive to thieves.
"Google Play isn't a vetted app store - it tends to have a lot of rubbish and odd stuff," said Morgan. "Whereas in the Apple Store you're almost certain to see just legitimate apps.”
Morgan said it would be “easy” to insert an app entitled “Bank of America” into google’s Store. The research was based on data accessed in October 2013, and the Top 100 Paid app lists on Apple App Store and Google Play. The researchers also analyzed 20 popular financial apps for each platform.
Britain’s Financial Conduct Authority warned that banking apps pose a “serious threat” to both banks and their customers.Banks tend to employ large teams of security personnel and the latest in hi-tech systems - so cybercriminals target companies that work with the banks, as a “way in”.
[Instagram launches messages feature]
One of this year’s largest cybercrimes, where an international gang of cyber thieves stole $45 million using bank ATMs in a heist spread across 27 countries - withdrawing $4 million in eight hours in New York alone - targeted not the bank itself, but a company which provided prepaid cards. By removing the limits on the cards, the criminals were able to run riot.
App developers, likewise, may be a tempting target - particularly if some of the work is outsourced to other continents. When the front page of the New York Times site was defaced by hacktivist group the Syrian Electronic Army, the attackers “got in” via an Indian company which worked for an Australian company which worked for the newspaper.
“For firms to successfully provide mobile banking services to their customers, they will be
dependent on IT systems, technical expertise and detailed knowledge.
"Many of the firms entering this market are using the specialised services of outsourcing partners,” the FCA said. “This leads to the risk that there may be a chain of companies involved in a customer’s transaction,resulting in a greater likelihood of a problem occurring.”
[Tesco Hudl Review - The Best Supermarket Tablet out There]
The gangs that commit these crimes often operate across borders - making prosecution difficult - and are highly paid professionals, often with advanced computer skills, who are adept at concealing who - or even where - they are.
U.S. Secretary of Homeland Security Janet Napolitano said that for those dealing with cybercrime, the biggest threat was “the known unknown”.
“We don't have the identity of all the adversaries who are trying to either commit crimes or acts over the cyber networks,” said Napolitano at a cyber defence summit this year. “The things we know about, we can deal with. It's the known unknown.”
HOW TO STAY SAFE
Your bank will not instruct you to download a new app via email, or by phone. If this happens, call your bank, using a number you find yourself (ie not one from their email). Udates are distributed via official app stores such as Google Play
You are safer on iPhone - but not totally safe. Arxan found that 56% of the top 100 iPhone apps had been hacked - with cybercriminals aiming to entrap “jailbreakers”
Security companies have been guilty of hyping the threats of malware on phones in the past, but it’s now very real. 21% of British internet users have been the victims of mobile cybercrime, according to Norton’s Cybercrime Report
You may be infected and not know it - some of the most prolific “bad” apps are modified versions of ‘real’ apps, or free apps, which have aggressive ad networks built in. These can make adverts appear throughout your smartphone - and can potentially send private information, such as location details and contact info to gangs. Use of this “madware” has risen 31% in the last year.
[You can now buy a potty with a built-in iPad for your toddler]
Apple’s App Store is usually safe - but Google Play, and Amazon’s Store require a bit more caution. If it’s a banking app, check what reviewers are saying, check with company made it, and Google it to check if it’s a scam
The biggest risk comes from installing apps from illegal sources, or from unofficial app stores such as Cydia. Do not use these if at all possible
Both Google and Apple have excellent protection systems built into their phones (go to Settings, and ensure you’re using these), but software such as Norton Mobile Security offers another line of defence against “bad” apps - with a constantly running check on apps, which helps protect against advanced threats
If in doubt, phone your bank - go to their website (not via an email link, type it in yourself), find the numer, call, and ask if your app is really what it seems.
