Update 2: Appvigil has posted a new blog stating its "tech writers accidentally included the name of the app which should have been strictly avoided."
Here's the full statement:
This is about the the article we blogged last week which we have taken down as some confidential information was leaked in it.
We pulled an app from Google Play store and scanned it for security vulnerabilities. The report was for internal use only and a generalized report was to be published.
Our tech writers accidentally included the name of the app which should have been strictly avoided.
We are writing to apologize for all the harm that this report has caused to Indian Overseas Bank (IOB). Moreover, we would like to mention that the app we used is not the official net banking app of Indian Overseas Bank. It was just an informational app which has listed the publicly available information about IOB like branches, etc.
We would like to assure IOB users that the said vulnerability was not found in the net banking app of IOB and that they are safe. We would also take extra care that such mistake is not repeated in future and only the general statistics are shared.
Update 1: We have removed name of the bank after Appvigil reached out to us stating that mentioning bank name may jeopardize the security of current users of the bank app.
Original Story (removed bank name)
Appvigil, a cloud based Android app security scanner, has discovered a JavaScript Injection vulnerability also known as cross-scripting or XSS vulnerability in the mobile application of a major Indian bank in India.
According to Appvigil, the vulnerability will become really dangerous for Android app users of the bank if a fully permitted malware performs this attack on the app in the same device and steals users’ netbanking usernames & passwords.
Based on the same, AppVigil decided to conduct a small experiment on the android application of Some of the Top Indian Banks. They launched the application in an emulated local environment, accessing the WebView of the application and executed some JavaScript code in WebView that dynamically changed the ‘About Us’ page to a Login page. After this, a username and password were logged in which was accessible from outside the android application.
Recent reports have also said cyber criminals are targeting financial institutions. Read: Mobile app developers slow to address security concerns: McAfee report
Another F-secure report said that banking related malware has been consistently topping the chart in India. The ‘Ramnit’ malware steals bank user names and passwords and it mostly spreads through USB removable drives. Read: New Delhi among top malicious cities in 2014: F-Secure report