A vulnerability that allows cybercriminals to insert malicious code into installed apps via a downloadable update has hit a South Korean online banking app.

Trend Micro has found that the software, from NH Nonghyup Bank, which has been installed on five to 10 million mobile devices, was tweaked to offer a downloadable update from third party download websites.

The update uses the master key Android vulnerability to insert a malicious file into the app which leads users to a spoof page asking them to input their bank account information. If inputted, this information is sent to a malicious server controlled by the cybercriminal.

The miscreants also offered a version of the legitimate app that was already been ‘trojanised’.

As the scam involved tampering with apps already on devices, the effect may not be noticeable until it is too late. TrendMicro therefore recommends users only download apps or updates from trusted sources, such as app stores.