We present a security analysis of eight Brazilian mobile banking applications in the Android platform, spanning 30 months. The scope included security aspects of the application, server configuration, and connection between app and server. We demonstrate server impersonation attacks against most banks, allowing an attacker to obtain sensitive data.