Image: Worried Man © John Howard-Getty Images

Related topics: banking, financial privacy, online banking, identity theft, electronics

Mobile banking once entailed little beyond the ability to receive a text message with your account balance. But these days, it's finally starting to live up to its name. Virtually every large bank and many regional banks and credit unions have rolled out applications that allow their clients to use mobile phones for fund transfers, bill payments and even check deposits.

But with the increasing popularity and convenience of mobile-banking apps comes a big caveat: the risk of downloading and installing a fraudulent application that could steal your account information and, potentially, any other data stored on your mobile device. In other words, the next generation of phishing scams is about to explode, and it has the potential to do much more damage than earlier versions.

The trend is still in its infancy, but there have already been instances of potential fraud. In January 2010, Google pulled 50 applications from its Android Market in response to concerns that they might be malicious. All apps were uploaded by the same developer and claimed to offer access to bank accounts from a variety of institutions, from big names such as JPMorgan Chase, HSBC, U.S. Bank, USAA and ING to local credit unions.

"Smart phones are extremely prolific right now, and there is opportunity there for criminals to be seeding stores with applications intended to capture personal information," says Nick Holland, a senior analyst at Aite Group, a market research firm. "We're on the tip of an explosion in terms of bad apps."

Even more worrisome, fraudulent apps may be more difficult to spot than were the fake websites used by phishing scammers. An unusual address, or URL, could easily flag a website as fake, but that's not the case with smart-phone applications. And the fact that an application is available through an app store gives it an aura of credibility, Holland says.

Google declined to comment on the incident, and it isn't known just how many consumers have downloaded those apps. Scott Moeller, the chief executive officer of mShift, a company that develops applications for about 200 banks and credit unions, estimates that number to be below 1,000. (At least one of mShift's clients was among the affected institutions.)

The apps were priced in U.K. pounds (at 0.99 each, or about $1.50), which must have kept U.S. consumers at bay, Moeller says. That would probably not have been the case if they had been free or priced in U.S. dollars.

"There's a yearning for mobile applications," Moeller says. "You could put out 50 apps at once, and people would start downloading them immediately."

The issue has already gotten the attention of banks' fraud departments, which are charged with monitoring for such incidents and warning customers. And it works both ways: Sometimes it's customers who flag potential fraud. Paul Berry, a spokesman for USAA, says the bank found out about the December 2009 Android incident "almost immediately" from a bank member.

"We have a fraud department that covers the vast range of banking fraud and insurance fraud -- and we have members who'll call us and let us know," he says.

Companies that own the application marketplaces say they, too, are on the watch for fraudulent apps. At Apple, the policy is to vet each application before it appears in the App Store. But no system is foolproof. For example, there are apps for so-called jail-broken iPhones, which are unlocked in order to allow the use of other networks besides AT & T or to download applications sold on third-party marketplaces. The practice makes the compromised phones more prone to fraud. Apple spokeswoman Trudy Muller says the company takes security "very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."

Google's Android Market, meanwhile, is considered more open than Apple's App Store and relies on its community to flag fraudulent applications, Moeller says. While Google removes apps that violate its policy, that's only after they have appeared on the company's marketplace, where they could have been downloaded and installed by customers.

"The Android Market content policy clearly states that we do not allow applications on Android Market to identify themselves with third-party marks (of conformity) without permission," a Google spokeswoman says. "If an application violates the content policy, we will remove it from Android Market, and developer accounts will be terminated for repeated violations."

There are a few steps consumers can take to avoid this new type of fraud. You could download your bank's application through its own website. A legitimate application will require you to go through an authentication process to register your phone and create an original user name and password, says Emmett Higdon, a senior analyst with Forrester Research who covers online and mobile financial services.

Or you could use your phone's browser to link directly with your bank's website instead of downloading an application, Moeller says.

Ultimately, it will be up to the banks and wireless companies to detect this type of fraud and keep it from reaching their customers in the first place. "This is part of the natural progression of rolling out a new channel," Higdon says. "We went through this with online banking and will go through this all over again with mobile banking."

This article was reported by Aleksandra Todorova for SmartMoney.