The Reserve Bank of India (RBI) has cautioned investors using the RBI retail direct platform (an online government bond buying platform) about the possible existence of fake Apps on the Android or iOS platform and how they should remain vigilant.
The RBI retail direct can only be accessed through a browser and no App exists of it on either the Android or the iOS platform.
“There have been several instances of cyber fraudsters using malicious Android Applications sent through SMS and Email,” RBI said in an email to users.
The RBI retail direct is a government bonds, including treasury bills purchasing website, wherein investors can buy and hold these bonds completely online for as little as Rs 10,000.
RBI’s Cautionary Note To Investors
RBI said that cyber criminals may try and run multiple social engineering hacking techniques and campaigns, such as cashback, know-your-customer (KYC), among others to lure unsuspecting investors. Their ultimate goal would be to lure users with these fake offers and then make them download the malicious mobile application. Sometimes, what they do is use that same malicious application by adjusting or changing the bank’s logo and name, RBI said.
One could also get forwarded some links with a malicious apk file or any other virus via multiple channels, including SMS, WhatsApp, and others, RBI said.
What typically happens is that when a user clicks on such links, a new App gets downloaded. This App then asks for media and read/write files permission, which it then exploits to read the OTP sent by banks or others without the user’s knowledge.
RBI advised users not to click on such links forwarded to them, and also make a note that there is “NO Android/iOS” application for RBI Retail Direct till date.
RBI also listed out the only three domains of RBI Retail Direct, which can be accessed only through browsers. They are:
Here’s What You Can Do To Remain Extra Vigilant
Pinakin Dave, country manager, India and SAARC, OneSpan Inc., a Chicago-based cyber security company, said that sometimes, users might not be able to differentiate between a real App from a fake one due to a good quality copy from the hacker’s side.
However subtle differences in execution and design will remain, such as the font size, title or description of the App or something else.
“Users should remain vigilant and notice these small changes,” Dave says.
It is also important to note that an App on either Android or iOS should only be downloaded from the official Google Play Store or the App store. There is asecurity feature on Androids which prevents apps to be installed from unknown sources. Users should ensure that this feature is turned on in their mobile.
Also, they should make a note of the number of users’ who have downloaded a particular App.
“A fake App will have a recent date or low number of downloads,” the RBI said.
In addition, Android and iOS devices can manage the permission control settings on an individual app level. Users should use that permission control manger to see which App they installed has access to what parts of their device. Only trusted Apps should have read, write and broadcast SMS and files and media permission.
“Always keep an updated Antivirus security solution installed on your mobile phone. mKAVACH is a free App issued by government to protect mobile devices from major threats. If your mobile phone is infected with malware, reset your phone to factory settings to remove any malware,” RBI further said.