Mobile payment apps have become vital for seamless financial transactions, revolutionising money management. By 2025, experts predict over 4.8 billion digital wallets and transaction values exceeding $16 trillion by 2028. However, security is a growing concern amid rising cyber threats, making data and transaction protection a priority for service providers. Promon, the Norwegian app security firm, analysed 73 of the world’s most-used payment apps to assess their security level and understand how they tackle a common malware-style screen reader attack. Let’s dive in.
Most payment apps aren’t secure
To verify the security of top payment apps, Promon used a screen reader similar to those used against major financial services apps. Its objective was to see if it could retrieve sensitive information from 73 of the world’s most-used payment apps, thereby evaluating their security measures and their ability to thwart common malware-style exfiltration attacks.
Using this methodology, the group found that 77% of the payment apps tested did not have sufficient screen reader protection in place.
The experiment also found that in six apps (8.2%), the screen reader logged the username during the simulated data exfiltration attack. However, the password remained secure in these instances, highlighting a partial vulnerability.
Majority of financial apps are not safe
Just three apps (4.1%) demonstrated robust defense mechanisms against the screen reader’s attempts to access and log user data. These apps effectively thwarted any efforts to log both the username and password. Interestingly, eight of the apps (10.9%) lacked a conventional login page altogether. This unique attribute made them impervious to data exfiltration attempts via the screen reader. While this could be viewed as a security advantage, it also raises considerations regarding user convenience and functionality.
What developers can do to bolster security
“This is beyond concerning to say the least,” says Benjamin Adolphi, Head of Security Research at Promon. “This is an extremely basic tool that is used regularly alongside common social engineering attacks. Malware that can successfully gain access to a device’s screen and its contents in this way can steal sensitive information, such as passwords and credit card numbers, but also intercept 2FA codes and give the hackers access to other accounts. In more serious cases, bad actors could even take control of the device and bypass other integral security measures. You would like to think that the developers of these apps would be taking the security of their products seriously, but apparently protecting users’ highly sensitive information is but a mere afterthought for the vast majority.”
Developers can enhance security against malicious screen readers using App Shielding technology. They can also take immediate steps such as detecting active screen readers within their apps. However, these approaches have drawbacks. Warning messages can be bypassed by malware with accessibility features, ignoring screen readers may expose users to risks, and shutting down the app can hinder accessibility and potentially lead to legal issues.
To address these challenges, developers can identify well-known accessibility applications and allow them to operate without shutting down the app. For lesser-known ones, ongoing maintenance is required to recognise legitimate accessibility tools.
Android 14 promises new security features to prevent accessibility service abuse, allowing developers to restrict interactions with specific Views to declared accessibility tools like TalkBack. While this is a positive development, it may take time to roll out. It’s crucial to combine OS features with robust app-level defences for comprehensive user protection.
- Mobile payment apps are essential for financial transactions, with predictions of 4.8 billion digital wallets and $16 trillion in transactions by 2028
- Security is a growing concern due to increasing cyber threats. Promon’s analysis of 73 top payment apps revealed that 77% lacked adequate protection against screen readers
- Developers can enhance security through App Shielding and screen reader detection. Balancing security measures is crucial to protect sensitive user data in the face of evolving threats