The applications distributed by such top banks and financial institutions as Wells Fargo and Bank of America placed various types of information at varying degrees of risk. But at least one Android application, distributed by Wells Fargo, stored an account holder’s user name and password on the phone in cleartext. The application also stored account balances on the phone, according to a security researcher who spoke with the Wall Street Journal.
The applications store the information in the phone’s memory, allowing an attacker to easily glean it from the phone by tricking the user into visiting a malicious website. An example would be sending the user a phishing e-mail containing a link to the malicious site.