Android Apps Vulnerable to Code Modification

Banks
	Bank of America (10 Million)	Notified 2-7-15 No reply Still vulnerable on 5-22-15 Still vulnerable on 6-14-15 Details & PoC
	Bancorp (10,000)	Notified 2-26-15 No reply Last update 4-26-14 Still vulnerable 5-22-15 Details & PoC
	Capital One (5 Million)	Notified 2-26-15 No reply Still vulnerable on 5-22-15 Details & PoC
	Chase Manhattan (10 Million)	Notified 2-9-15 Twitter acknowledgement Still vulnerable on 5-22-15 Fixed in 6-8-15 update! Details & PoC
	Citibank (1 Million)	Notified 2-26-15 No reply Last update 2-5-15 Still vulnerable on 5-22-15 Details & PoC
	M&T Bank (100,000)	Notified 2-27-15 Acknowledged Fixed in 4-23-15 update! Details & PoC
	SunTrust (1 Million)	Notified 2-25-15 Promised to fix it Still vulnerable on 5-22-15 Details & PoC
	Wells Fargo (10 Million)	Notified 2-19-15 No reply Fixed in 5-6-15 update! Details & PoC

Stock Trading

Charles Schwab
(100,000)
Notified 2-22-15 via Twitter and CEO
Promised to fix it
Still vulnerable 5-22-15
Still vulnerable 7-12-15
Details & PoC

OptionsXpress
(50,000)
Notified 2-22-15
Semi-automated reply
Still vulnerable on 5-23-15
Still vulnerable 6-13-15
Details & PoC

Scottrade
(100,000)
Notified 3-2-15
Automated reply only
Still vulnerable 5-22-15
Details & PoC

ShareBuilder Mobile
by CapitalOne
(100,000)
Notified 2-22-15
No reply
Last updated 1-15-15
Still vulnerable 5-22-15
Details & PoC

TD Ameritrade
(100,000)
Notified 2-21-15
No reply
Still vulnerable on 5-22-15
Much WORSE in 5-21-15 update
Details & PoC

TradeKing
(50,000)
Notified 2-22-15
No reply
Fixed on 5-22-15!
Details & PoC

TradeStation
(10,000)
Notified 2-22-15
Automated reply
Still vulnerable on 5-22-15
Details & PoC

Insurance

Allstate
(500,000)
Notified 3-6-15
Two automated replies
Still vulnerable on 5-22-15
Details & PoC

GEICO
(1 Million)
Notified 3-6-15
Has a vulnerability report page
Promised to fix it but didn't
Still vulnerable on 5-12-15
Still vulnerable on 7-12-15
Details & PoC

Nationwide
(100,000)
Notified 3-8-15
Automated replies, content ignored
Still vulnerable on 5-22-15
Details & PoC

Progressive
(1 Million)
Notified 3-8-15
"Forwarded to developers"
Still vulnerable on 5-22-15
Details & PoC

Transamerica
(10,000)
Notified 4-10-15
No reply
Last update 11-18-13
Still vulnerable 5-22-15
Still vulnerable 6-13-15
Details & PoC

Tax Preparers

TurboTax
(500,000)
Notified 2-6-15
Has a vulnerability report page
No reply
Still vulnerable 5-22-15
Still vulnerable 6-13-15
Details & PoC

Security Apps

AIG MobileGuard
Inhance Technology
Notified 3-8-15
No longer in Google Play on 5-18-15
Details & PoC

Posted 3-11-15 by Sam Bowne
Updated with many more companies 5-22-15
Updated with BofA fix, TDA made worse, and several unchanged 6-13-15
Updated with BofA still vuln, 6-14-15, 8:22 am
Updated with Geico still vuln 7-12-15
Typo fixed 8-11-2020

Android Apps Vulnerable to Code Modification

Banks

Bank of America (10 Million)

Bancorp (10,000)

Capital One (5 Million)

Chase Manhattan (10 Million)

Citibank (1 Million)

M&T Bank (100,000)

SunTrust (1 Million)

Wells Fargo (10 Million)

Stock Trading

Charles Schwab (100,000)

OptionsXpress (50,000)

Scottrade (100,000)

ShareBuilder Mobile by CapitalOne (100,000)

TD Ameritrade (100,000)

TradeKing (50,000)

TradeStation (10,000)

Insurance

Allstate (500,000)

GEICO (1 Million)

Nationwide (100,000)

Progressive (1 Million)

Transamerica (10,000)

Tax Preparers

TurboTax (500,000)

Security Apps

AIG MobileGuard Inhance Technology

Bank of America
(10 Million)

Bancorp
(10,000)

Capital One
(5 Million)

Chase Manhattan
(10 Million)

Citibank
(1 Million)

M&T Bank
(100,000)

SunTrust
(1 Million)

Wells Fargo
(10 Million)

Charles Schwab
(100,000)

OptionsXpress
(50,000)

Scottrade
(100,000)

ShareBuilder Mobile
by CapitalOne
(100,000)

TD Ameritrade
(100,000)

TradeKing
(50,000)

TradeStation
(10,000)

Allstate
(500,000)

GEICO
(1 Million)

Nationwide
(100,000)

Progressive
(1 Million)

Transamerica
(10,000)

TurboTax
(500,000)

AIG MobileGuard
Inhance Technology