CaptureMe: Attacking the User Credential in Mobile Banking Applications

Recently, the wide use of smart devices (phones and tablets) encourage financial institution to consider mobile banking applications as a necessity service to their clients. In this paper, we propose a screenshot attack "CaptureMe" to investigate the security risks of the password visibility feature on Android platform with the mobile banking applications. In CaptureMe attack we used different known techniques to take screenshot images and we applied highly efficient Optical Character Recognition (OCR) analysis using tesseract-ocr engine to extract the user credential from the taken screenshot images. We also explore the possible protection mechanisms against CaptureMe with more than 130 mobile banking applications exist in Google play store.