Fake ANZ and CBA apps which may have tricked hundreds of users to hand over their login credentials and credit card details were published, then taken down in June without either bank being forced to tell their customers.
The fake apps were spotted by ESET, an international group of security researchers, and posted on its website, www.welivesecurity.com.
It's not the first time ESET has found fake apps impersonating banks from all over the world, but this time, here are the top two on its list of six:
Note: The ANZ tells us the malicious ANZ app was actually called "PayOnGo".
The other four are from banks in the UK, Switzerland and Poland and an Austrian cryptocurrency exchange.
Download and use them and ESET says you're at risk of handing over your credit card details and login credentials which can then be used to access legitimate services. Here's the landing page for the fake ANZ app:
ESET said the apps were downloaded "more than a thousand times" between when they first appeared on Google Play in June 18 and were eventually taken down.
Because the banks were impersonated, and not directly hacked, the scam falls outside of the Notifiable Data Breaches Act introduced in February this year. So while potentially hundreds of customers were using the fake apps, the ANZ and CBA were not obliged to tell the public, nor notify authorities.
Nick FitzGerald, senior research fellow at ESET, told Fairfax Media that Google was alerted "two weeks ago". But ANZ confirmed to Fairfax that its app had been taken down in June "in a few hours" after a customer alerted it to the problem.
A spokesperson from the CBA confirmed that no alert was sent out to customers after the fake app was discovered, but told BI that its customers were protected against such scams.
The spokesperson said the proliferation of fake apps was such that sending alerts for all of them would be unrealistic. Instead, the CBA offers a "100% Security Guarantee against unauthorised transactions where customers are not at fault".
"Commonwealth Bank invests in state of the art fraud prevention and detection technology and has dedicated teams who actively monitor unusual or suspicious activity," it said.
"If a customer notices an unusual transaction on their account, they should contact us on 13 2221 immediately to report it."
ESET found the fake apps during "routine checks" it conducted, but FitzGerald said it was actually rare for fake banking apps to pass Google's own automated tests.
"The apps were uploaded under different developer names, each using a different guise," ESET's Lukas Stefanko said. "However, code similarities suggest the apps are the work of a single attacker.
"The apps use obfuscation, which might have contributed to their slipping into the store undetected."
ESET has some advice for how to avoid falling for fake phishing scams in the future at the bottom of its post.
CBA said its apps were published by “Commonwealth Bank of Australia” or “CommSec”. MasterCard publishes two apps for business merchants, “CommBank Simplify Controls” and “CommBank Simplify Payments”, on its behalf.