Four Android banking trojans have been discovered penetrating the devices of nearly 300,000 devices between August and November. The malware is spreading via the official Google Play Store.
What has happened?
According to ThreatFabric, the malicious apps posed as utility apps and attempted to take full control of the infected devices. These apps are being distributed only to specific regions or at later dates to evade detection.
- The names of the malicious apps are Protection Guard, Master Scanner Live, Gym and Fitness Trainer, CryptoTracker, PDF Document Scanner – Scan to PDF, and Two Factor Authenticator, among others.
- They delivered Anatsa, ERMAC, Alien, and Hydra.
- Moreover, the apps ensured that the payloads were installed only on smartphones devices from certain regions and prevented the malware from being downloaded during the publishing process.
Malicious actions
Once installed, these trojans can steal user passwords, keystrokes, SMS-based two-factor authentication codes, and screenshots.Additionally, they exhaust users’ bank accounts without their knowledge by using the Automatic Transfer System tool.
Additional insights
Even though Google has introduced limitations to restrict the use of accessibility permissions, threat actors use a more traditional way of installing apps using the app marketplace.
- The attackers are now using a technique called versioning to avoid detection. In this, clean versions of apps are uploaded first and then malicious functionalities are wrapped as new app updates.
- Another technique involved the development of look-alike C2 websites that match the theme of the dropper app to bypass the traditional detection methods.
The apps have now been removed from the Play Store but infected users remain at risk.
Conclusion
Cybercriminals keep improving their malware delivery mechanisms to stay undetected. They always come up with new ways to bypass Play Store’s security checks. Thus, experts recommend using a reliable anti-malware app on the smartphone and monitoring app behavior after installation.
Source: https://cyware.com/news/multiple-banking-trojans-on-google-play-infect-thousands-of-devices-ca83bcb3
