A “major” security weakness in Google’s Android software has let cyber-thieves craft apps that can steal banking logins, a security firm has found.
The bug lets attackers create fake login screens that can be inserted into legitimate apps to harvest data.
More than 60 financial institutions have been targeted by the technique, a survey of the Play store indicated.
Google said it had taken action to close the loophole and was keen to find out more about its origins.
“It targeted several banks in several countries and the malware successfully exploited end users to steal money,” said Tom Hansen, chief technology officer of Norwegian mobile security firm Promon, which found the bug.
The problem emerged after Promon analysed malicious apps that had been spotted draining bank accounts.