Android Apps Vulnerable to Code Modification

Banks

Bank of America
(10 Million)

Notified 2-7-15
No reply
Still vulnerable on 5-22-15
Still vullnerable on 6-14-15

Details & PoC

Bancorp
(10,000)

Notified 2-26-15
No reply
Last update 4-26-14
Still vulnerable 5-22-15
Details & PoC

Capital One
(5 Million)

Notified 2-26-15
No reply
Still vulnerable on 5-22-15
Details & PoC

Chase Manhattan
(10 Million)

Notified 2-9-15
Twitter acknowledgement
Still vulnerable on 5-22-15
Fixed in 6-8-15 update!
Details & PoC

Citibank
(1 Million)

Notified 2-26-15
No reply
Last update 2-5-15
Still vulnerable on 5-22-15
Details & PoC

M&T Bank
(100,000)

Notified 2-27-15
Acknowledged
Fixed in 4-23-15 update!
Details & PoC

SunTrust
(1 Million)

Notified 2-25-15
Promised to fix it
Still vulnerable on 5-22-15
Details & PoC

Wells Fargo
(10 Million)

Notified 2-19-15
No reply
Fixed in 5-6-15 update!
Details & PoC

Stock Trading

Charles Schwab
(100,000)

Notified 2-22-15 via Twitter and CEO
Promised to fix it
Still vulnerable 5-22-15
Still vulnerable 7-12-15
Details & PoC

OptionsXpress
(50,000)

Notified 2-22-15
Semi-automated reply
Still vulnerable on 5-23-15
Still vulnerable 6-13-15
Details & PoC

Scottrade
(100,000)

Notified 3-2-15
Automated reply only
Still vulnerable 5-22-15
Details & PoC

ShareBuilder Mobile
by CapitalOne
(100,000)

Notified 2-22-15
No reply
Last updated 1-15-15
Still vulnerable 5-22-15
Details & PoC

TD Ameritrade
(100,000)

Notified 2-21-15
No reply
Still vulnerable on 5-22-15
Much WORSE in 5-21-15 update
Details & PoC

TradeKing
(50,000)

Notified 2-22-15
No reply
Fixed on 5-22-15!
Details & PoC

TradeStation
(10,000)

Notified 2-22-15
Automated reply
Still vulnerable on 5-22-15
Details & PoC

Insurance

Allstate
(500,000)

Notified 3-6-15
Two automated replies
Still vulnerable on 5-22-15
Details & PoC

GEICO
(1 Million)

Notified 3-6-15
Has a vulnerability report page
Promised to fix it but didn't
Still vulnerable on 5-12-15
Still vulnerable on 7-12-15
Details & PoC

Nationwide
(100,000)

Notified 3-8-15
Automated replies, content ignored
Still vulnerable on 5-22-15
Details & PoC

Progressive
(1 Million)

Notified 3-8-15
"Forwarded to developers"
Still vulnerable on 5-22-15
Details & PoC

Transamerica
(10,000)

Notified 4-10-15
No reply
Last update 11-18-13
Still vulnerable 5-22-15
Still vulnerable 6-13-15
Details & PoC

Tax Preparers

TurboTax
(500,000)

Notified 2-6-15
Has a vulnerability report page
No reply
Still vulnerable 5-22-15
Still vulnerable 6-13-15
Details & PoC

Security Apps

AIG MobileGuard
Inhance Technology

Notified 3-8-15
No longer in Google Play on 5-18-15
Details & PoC


Posted 3-11-15 by Sam Bowne
Updated with many more companies 5-22-15
Updated with BofA fix, TDA made worse, and several unchanged 6-13-15
Updated with BofA still vuln, 6-14-15, 8:22 am
Updated with Geico still vuln 7-12-15