Millions of people are using Android apps that can be tricked into revealing personal data, research indicates.
Scientists tested 13,500 Android apps and found almost 8% failed to protect bank account and social media logins.
These apps failed to implement standard scrambling systems, allowing "man-in-the-middle" attacks to reveal data that passes back and forth when devices communicate with websites.
Google has yet to comment on the research and its findings.
Researchers from the security group at Leibniz University of Hanover and the computer science department at the Philipps University of Marburg tested the most popular apps in Google's Play store.
By creating a fake wi-fi hotspot and using a specially created attack tool to spy on the data the apps sent via that route, the researchers were able to:
- capture login details for online bank accounts, email services, social media sites and corporate networks
- disable security programs or fool them into labelling secure apps as infected
- inject computer code into the data stream that made apps carry out specific commands
An attacker could even re-direct a request to transfer funds, while making it look to the app user like the transaction was proceeding unchanged.
Some of the apps tested had been downloaded millions of times, the researchers said.
And a follow-up survey of 754 people suggests users could struggle to spot when they were at risk.
"About half of the participants could not judge the security state of a browser session correctly," the researchers wrote.
"Most importantly, research is needed to study which counter-measures offer the right combination of usability for developers and users, security benefits and economic incentives to be deployed on a large scale."