Image: Worried Man © John Howard-Getty Images

Related topics: banking, financial privacy, online banking, identity theft, electronics

Mobile banking once entailed little beyond the ability to receive a text message with your account balance. But these days, it's finally starting to live up to its name. Virtually every large bank and many regional banks and credit unions have rolled out applications that allow their clients to use mobile phones for fund transfers, bill payments and even check deposits.

But with the increasing popularity and convenience of mobile-banking apps comes a big caveat: the risk of downloading and installing a fraudulent application that could steal your account information and, potentially, any other data stored on your mobile device. In other words, the next generation of phishing scams is about to explode, and it has the potential to do much more damage than earlier versions.

The trend is still in its infancy, but there have already been instances of potential fraud. In January 2010, Google pulled 50 applications from its Android Market in response to concerns that they might be malicious. All apps were uploaded by the same developer and claimed to offer access to bank accounts from a variety of institutions, from big names such as JPMorgan Chase, HSBC, U.S. Bank, USAA and ING to local credit unions.

"Smart phones are extremely prolific right now, and there is opportunity there for criminals to be seeding stores with applications intended to capture personal information," says Nick Holland, a senior analyst at Aite Group, a market research firm. "We're on the tip of an explosion in terms of bad apps."

Even more worrisome, fraudulent apps may be more difficult to spot than were the fake websites used by phishing scammers. An unusual address, or URL, could easily flag a website as fake, but that's not the case with smart-phone applications. And the fact that an application is available through an app store gives it an aura of credibility, Holland says.

Google declined to comment on the incident, and it isn't known just how many consumers have downloaded those apps. Scott Moeller, the chief executive officer of mShift, a company that develops applications for about 200 banks and credit unions, estimates that number to be below 1,000. (At least one of mShift's clients was among the affected institutions.)

The apps were priced in U.K. pounds (at 0.99 each, or about $1.50), which must have kept U.S. consumers at bay, Moeller says. That would probably not have been the case if they had been free or priced in U.S. dollars.

"There's a yearning for mobile applications," Moeller says. "You could put out 50 apps at once, and people would start downloading them immediately."

The issue has already gotten the attention of banks' fraud departments, which are charged with monitoring for such incidents and warning customers. And it works both ways: Sometimes it's customers who flag potential fraud. Paul Berry, a spokesman for USAA, says the bank found out about the December 2009 Android incident "almost immediately" from a bank member.

"We have a fraud department that covers the vast range of banking fraud and insurance fraud -- and we have members who'll call us and let us know," he says.