Spyware disguised as Spanish banking apps removed from Google Play

A spyware program fraudulently disguised as a Spanish-language banking app was found last month collecting users' device data and messages, which were later leveraged in smishing schemes.

Advertised as "Movil Secure," the fake app pretends to be associated with multinational Spanish banking group Banco Bilbao Vizcaya Argentaria (BBVA). Published on Oct. 19, the app was discovered by Trend Micro researchers three days later, available for download on Google Play.

Shortly thereafter, Google removed Movil Secure in addition to three more apps from the same developer with the same malicious functionality, Trend Micro reported in a company blog post today. The three other apps falsely claimed to be affiliated with Spanish banks Evo and Bankia, as well as Compte de Credit, which Trend Micro says isn’t connected to any large financial institution.

Downloaded over 100 times, Movil Secure purported to provide BVVA customers with a mobile banking token service for identity management and transaction authorization purposes. But in reality, the app gathers a device's SMS messages and associated phone numbers, as well as identifying data (device ID, OS version and country code), before sending that information to a command-and-control server.

"This type of information is quite valuable -- SMS is often used by mobile banking apps to confirm or authorize banking transactions," wrote blog post author Echo Duan, mobile threat response engineer at Trend Micro.

Trend Micro reported that the scammers were caught using this data for an SMS-based phishing campaign, with at least one commenter in the app's reviews section complaining that the app targeted his or her bank card.