Android banking malware infects 300,000 Google Play users


Malware campaigns distributing Android Trojans that steal online banking credentials have infected nearly 300,000 devices through malicious apps distributed through the Google Play Store.

Android banking Trojans delivered to compromised devices attempt to steal user credentials when they log into online banking or cryptocurrency apps. Credentials theft is typically done using fake bank login form overlays displayed above the login screens of legitimate apps.

The stolen credentials are then sent back to the attacker’s servers, where they are collected to be sold to other malicious actors or used to steal cryptocurrency and money from victims’ accounts.

Evolving Tactics for Evading Detection

In a new report from ThreatFabric, researchers explain how they discovered four different malware dropper campaigns distributing banking Trojans on the Google Play Store.

While malicious actors infiltrating the Google Play Store with Android banking Trojans are nothing new, recent changes to Google’s policies and increased policing have forced malicious actors to evolve their tactics to evade detection.

This evolution includes the creation of small, realistic-looking apps that focus on common themes like fitness, cryptocurrency, QR codes, and PDF scanning to entice users to install the app. Then, to add more legitimacy to the apps, threat actors create websites that match the theme of the app to help get Google reviews.

Additionally, ThreatFabric has seen these apps only be distributed in specific regions or at later dates to further evade detection by Google and antivirus vendors.

This control from Google has forced actors to find ways to significantly reduce the footprint of drip apps. Besides improving malicious code efforts, Google Play’s distribution campaigns are also more refined than campaigns. previous ones, ”ThreatFabric researchers explain in their new report.

For example, by introducing small, carefully planned updates to malicious code over a longer period of time in Google Play, as well as sporting a C2 dropper backend to fully match the theme of the dropper app (per example a functional fitness website for a training-focused application). “

However, once these “dropper” applications are installed, they will communicate silently with the threat actor server to receive commands. When ready to distribute the banking Trojan, the threat actor server will ask the installed application to perform a bogus “update” which “removes” and launches the malware on it. Android device.

Fake update installing Android banking Trojan
Fake update installing Android banking Trojan
Source: ThreatFabric

16 apps infect 300,000 devices

Since July 2021, ThreatFabric offers these bogus applications to remove four different banking Trojans named “Alien”, “Hydra”, “Ermac” and “Anatsa” through sixteen different applications.

Timeline of malware campaigns on Google Play
Timeline of malware campaigns on Google Play
Source: ThreatFabric

The “dropper” applications known to be used during these malware dissemination campaigns are:

  • Two-factor authenticator
  • Protection guard
  • QR CreatorScanner
  • Master scanner
  • QR scanner 2021
  • QR scanner
  • PDF Document Scanner – Scan to PDF
  • PDF document scanner
  • Free PDF Document Scanner
  • CryptoTracker
  • Gym and fitness trainer

Other malicious applications installed by the above dropper and their associated banking Trojans are:

  • Master Live Scanner (alien trojan)
  • Gym and fitness trainer (alien trojan)
  • PDF AI: TEXT RECOGNITION (anatsa trojan)
  • QR CreatorScanner (Hydra Trojan)
  • QR CreatorScanner (Ermac trojan)

During these four months of malicious activity, ThreatFrabric discovered that the droppers had been installed 300,000 times, with some individual droppers installed more than 50,000 times.

The number of banks, money transfer apps, cryptocurrency exchanges, cryptocurrency wallets, and messaging services is staggering, with around 537 online sites and mobile apps targeted for theft. ‘identifiers.

Targeted organizations include Gmail, Chase, Citibank, HSBC, Coinbase, Kraken, Binance, KuCoin, CashApp, Zelle, TrustWallet, MetaMask, etc.

Google has since removed all of these malicious apps from the Play Store and you should also immediately remove them from your Android device if any of them are installed.

If you have installed any of the above apps, you should remove it from your Android device immediately.

Also, due to the evolution of techniques used by Android malware developers, users need to pay more attention to permissions requested by apps and block installation if they seem too wide.


Comments are closed.