(Credit: Sohel Patel)

Some of the largest banks in India are reeling this week after cybersecurity firm Sophos released an in-depth study claiming to have found 12 Android apps that posed as banking apps, stealing account information from thousands of people in the process.

Malicious banking apps were originally spotted in July by another security firm, which caught apps trying to mimic Canara Bank, Syndicate Bank, and Axis Bank -- all banks based in India. Google took those apps down when it was notified but they had been available in the Google Play store for nearly two years, with thousands of downloads.

Now, Sophos says nearly 160,000 people have been affected by an even larger phishing scam. They found 12 apps targeting banking information from customers of State Bank of India (SBI), ICICI Bank, Indian Overseas Bank, Axis Bank, Bank of Baroda, Yes Bank, and Citibank.

"Some of these disguised themselves as Internet banking apps or electronic wallets, appearing to mimic the names or graphic design specifications of existing apps. Several others claimed to provide a unique (and somewhat bizarre) service that promises to withdraw money from your accounts and then deliver the cash right to the user's doorstep," wrote Sophos Labs threat researcher Pankaj Kohli.

"It probably did deliver cash to someone, but the recipient probably wasn't the victim."

SEE: The best money-saving apps to keep you within your budget in 2018

According to Sophos, the author of the apps had been creating them since May 2016 and often used photos of Indian actor Amitabh Bachchan or India's Prime Minister Narendra Modi to make the apps seem legitimate and officially endorsed. Many of the apps have identical functions but different exteriors related to different banks.

Kohli added that "all of them send the leaked information to the same command-and-control server, which suggests a single threat actor or a group behind the campaign."

The creators of the thieving apps coaxed users to download them by offering generous -- and often outrageous -- deals like free mobile data, cash-back deals on purchases, or interest-free loans. Sophos highlighted that some of these apps even offered a service they called "e-ATM" which would allow you to send couriers to withdraw money at an ATM for you.

The most recent app to be created by this author was called "All India Digital ATM by Modi" and offered services at the country's 7 largest banks as well as 25 others. When users open the app, they are asked to provide their name, phone number, ATM card number, PIN number, username, and password for online banking, credit card number, or ID card. All the information was then routed somewhere else that was open to hackers and others.

"The recent discoveries of these Android banking malware presents a worrisome trend. The threat is underscored by the fact that such malware found and continues to find its way into Google Play, which remains one of the most common source of Android apps today, used by millions of users worldwide," Kohli wrote.

"Users should pay close attention to the user rating and read user reviews before installing such apps, even when downloading apps from trusted app marketplaces."

Since Sophos released its report, most of the banks named have declined to comment or denied that their users were affected. YES Bank told the Press Trust India that it had started an investigation in its cyber fraud department, and other news outlets claimed the Indian Computer Emergency Response Team had been notified by multiple banks. The only bank to publicly dispute the report is Citibank, which told news outlets in India that its users had not been affected by the breach and that it was contacting Sophos to have them remove their name from the article.

The report is worrying news for online banking customers in India, who already dealt with a massive financial data breach in 2016 which saw the security codes of 3.2 million people released by hackers.

The rise in rogue apps and mobile browser hacking attempts coincides with a rapid growth in the number of financial transactions handled on mobile devices. In August, cybersecurity firm RSA released a chart showing that since 2015, legitimate financial transactions done through mobile browsers or apps grew from only 41 percent of all online transactions to 56 percent.

Hackers have responded accordingly, significantly increasing their attacks through mobile browsers and apps since 2015. RSA found that attacks through apps have grown from only 7 percent of all hacking attempts in 2015 to a whopping 40 percent of all attacks now.

FOLLOW on Twitter for all the latest app news.


  1. Fraudulent banking apps found in the Google Play Store stole account information from thousands of users in India, according to cybersecurity firm Sophos.
  2. Customers at seven of the largest banks in India have been affected, but many of the apps are denying that any information was stolen.

Also see

Jonathan is a Contributing Writer for CNET's He's a freelance journalist based in New York City. He recently returned to the United States after reporting from South Africa, Jordan, and Cambodia since 2013.