A “major” security weakness in Google’s Android software has let cyber-thieves craft apps that can steal banking logins, a security firm has found.
The bug lets attackers create fake login screens that can be inserted into legitimate apps to harvest data.
More than 60 financial institutions have been targeted by the technique, a survey of the Play store indicated.
Google said it had taken action to close the loophole and was keen to find out more about its origins.
“It targeted several banks in several countries and the malware successfully exploited end users to steal money,” said Tom Hansen, chief technology officer of Norwegian mobile security firm Promon, which found the bug.
The problem emerged after Promon analysed malicious apps that had been spotted draining bank accounts.
Called Strandhogg, the vulnerability can be used to trick users into thinking they are using a legitimate app but are actually clicking on an overlay created by the attackers.
“We’d never seen this behaviour before,” said Mr Hansen.
“As the operating system gets more complex it’s hard to keep track of all its interactions,” he said. “This looks like the kind of thing that gets lost in that complexity.”
Promon worked with US security firm Lookout to scan apps in Android’s Play store to see if any were being abused via the Strandhogg bug.
They found that 60 separate financial institutions were being targeted via apps that sought to exploit the loophole. Lookout said it found criminals used variants of a well-known malicious money-stealing app known as bankbot.
In a statement, Google said: “We appreciate the researchers’ work, and have suspended the potentially harmful apps they identified.”
It added: “Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues.”
Promon’s chief technology officer welcomed Google’s response, as he said many other apps were potentially exploitable via the spoofing bug. However, Mr Hansen said the danger from the bug was not entirely extinguished.