Over 300,000 devices downloaded banking trojans after falling victims to a malware that bypassed Google Play restrictions. In four months, four types of malware were spread through Google Play.
(Sign up to our Technology newsletter, Today's Cache, for insights on emerging themes at the intersection of technology, business and policy. Click here to subscribe for free.)
A trojan is a malware designed to steal sensitive information by disguising as beneficial to the user. A banking trojan attempts to steal credentials from a user or gain access to their financial information.
To scale up their attack, threat actors developed loaders with a reduced malicious footprint in Google Play, increasing the difficulties in detecting them with automation and machine learning techniques.
Researchers at cybersecurity firm ThreatFabric have detailed how four types of malware were delivered through fake versions of common apps.
These apps posed as QR code scanners, PDF scanners, and cryptocurrency apps. One dropper app was installed more than 50,000 times, with the combined total of installations of all droppers reaching more than 100,000 installations.
The most prolific of these was Anatsa, an advanced Android banking trojan with the ability to steal credentials, which captured everything shown on the user’s screen, according to ThreatFabric.
How banking trojans infect the device
Upon the start of installation from Google Play, the user is forced to update the app in order to continue using the app. Meanwhile, Anatsa payload was downloaded and installed on the device of the unsuspecting victim.
Hackers developed the app to make it look legitimate and useful. The apps have a large number of positive reviews and installations, convincing the user to install the app. Once installed, these apps operated normally to seem legitimate.
After successfully downloading the “update”, the user is asked for permission to install apps from unknown sources. After the installation is complete, Anatsa runs on the device, and asks the user to grant Accessibility Service privileges to gain full control over the device to perform actions on the victim’s behalf.
During this time, the app also runs and operates as a legitimate app.
Not every device will make a request seeking information about the device after installing an update. The backend decides whether to provide the Anatsa payload or not based on the device information.
This allows hackers to target devices from specific regions and easily switch focus to another area.
The second type of malware is Alien, which can also steal two-factor authentication capabilities and has been active for over a year. Similar to Anasta, users are asked to install a fake update that distributes the payload.
The other two forms of malware, Hydra and Ermac have also used similar methods. Both malware provides hackers access to the device to steal banking information. ThreatFabric reported all the malicious apps to Google.