A malicious application has been removed from the Android Market after it was discovered that it attempted to steal banking details from customers of the First Tech Credit Union.
As reported on the First Tech Credit Union website
- via Slashdot
- the application, uploaded by a user calling himself Droid09, posed as a useful utility for managing accounts on Android-based mobile devices. While at first glance the application seemed legitimate - and there are
mobile banking applications available for the platform - it turned out to be the work of a fraudster who used the application to harvest online banking details.
While the attack wasn't aimed specifically at the First Tech Credit Union, which was founded in 1952 by employees of the Tektronix corporation, the credit union was the first to officially denounce the application - and to alert Google that it should be removed from the Market.
While all of the applications uploaded by Droid09 have been removed since the alert went out, many are seeing the attack as an inevitable consequence of the openness of the Android platform: unlike the iPhone App Store, which has a rigorous vetting process which helps to prevent malicious applications from being made available, the Android Market has far fewer restrictions and is open to anyone who is willing to pay a $25 fee to become a publisher. While this provides more flexibility, it also provides a channel for attacks - as exploited by user Droid09.
So far there has been no comment from Google on how - or if - it plans to prevent this kind of occurrence in the future, without jeopardising the freedom offered to Android developers.
Are you surprised it's taken this long for a truly malicious application to hit the Android platform, or does this justify Apple's approach to application security? Share your thoughts over in the forums