The other banks whose apps are being faked are Britain's TSB, Switzerland's Post Finance, Poland's WBK Zachodni and Austrian cryptocurrency exchange Bitpanda, the company said in a blog post.
The fake apps were using bogus forms to obtain credit card details and login credentials, it said.
The opening screen for the fake ANZ app.
ESET's Lukas Stefanko wrote that the fake apps had been around in the Google Play Store since June 2018 and had been downloaded more than a thousand times each before they removed by Google.
The six fake Android banking apps found by ESET on the Google Play Store.
While the apps do not operate in an uniform manner, when launched they all show screens that ask for credit card details or login credentials. If anyone did provide these details, these were then sent to the attacker's server.
Stefanko offered the following advice to avoid falling victim to these and any other fake banking or financial services apps:
- "Only trust mobile banking and other finance apps if they are linked from the official website of your bank or the financial service;
- "Only download apps from Google Play; this does not ensure the app is not malicious, but apps like these are much more common on third-party app stores and are rarely removed once uncovered, unlike on Google Play;
- "Pay attention to the number of downloads, app ratings and reviews when downloading apps from Google Play;
- "Only enter your sensitive information into online forms if you are sure of their security and legitimacy; and
- "Keep your Android device updated and use a reliable mobile security solution."
Screenshots: courtesy ESET