The presence of the applications in question, which according to those with direct knowledge of the situation did not misuse or steal user information, has nonetheless triggered concern among users. The applications were created by a developer known as 09Droid and used the names of various banks, including Chase, Sun Trust and Bank of America.
“The Android Market Content Policy clearly states that we don’t allow applications on Android Market to identify themselves with third-party marks without permission,” a Google spokesperson told eWEEK. “If an application violates the content policy, we will remove it from Android Market, and developer accounts will be terminated for repeated violations.”
First Tech Credit Union warned customers Dec. 22 that a “fraudster developed a rogue Android Smartphone app” that created a shell of mobile banking applications and tried to gain access to consumer information. A similar warning from BayPort Credit Union came the same day; BayPort Credit Union’s mobile bank provider, MShift, notified Google of their concerns Dec. 15.
“For example, we have a policy against inappropriate content, which includes malware,” the Google spokesperson said. “A developer must also abide by our Developer Distribution Agreement in order to upload an application to Android Market. We also may check applications for compliance with the Market Content Policies (in order to remove malware, porn, spam, or profanity).”
Mikko Hypp??Ã©nen, chief research officer at F-Secure, predicted that there will likely be more rogue applications on mobile devices.
“Some of them will try to target online banking, others will try to call premium-rate numbers or send text message spam and so [on],” he said in an e-mail to eWEEK. “Signing and certifying programs are in a key position on smartphone systems to prevent problems like this … [although] we have seen the ‘Signed by Symbian’ certification process subverted a couple of times.”