Google Play apps downloaded 300,000 times stole bank credentials
Researchers said they discovered a batch of apps downloaded from Google Play more than 300,000 times before the apps turned out to be banking Trojans that surreptitiously siphoned off user passwords and two-way authentication codes. letter carriers, recorded keystrokes and took screenshots.
The apps, which bill themselves as QR scanners, PDF scanners, and cryptocurrency wallets, belonged to four separate Android malware families that were distributed over four months. They used several tricks to get around restrictions that Google devised in an attempt to curb the endless distribution of scam apps in its official marketplace. These limitations include restricting the use of accessibility services for visually impaired users to prevent the automatic installation of applications without the user’s consent.
“What makes these Google Play distribution campaigns very difficult to detect from an automation (sandbox) and machine learning perspective is that the dropper apps all have a very small footprint. malicious, “researchers from mobile security firm ThreatFabric wrote in an article. “This small footprint is a (direct) consequence of authorization restrictions imposed by Google Play.”
Instead, the campaigns generally provided a benign application early on. Once the app was installed, users received messages asking them to download updates that installed additional features. Apps often required updates to be downloaded from third-party sources, but at that time many users trusted them. Most applications initially had no detection by the malware checkers available on VirusTotal.
Apps have also flown under the radar using other mechanisms. In many cases, malware operators have manually installed malicious updates only after verifying the geographic location of the infected phone or by updating the phones incrementally.
âThis incredible focus on avoiding unwanted attention makes automated malware detection less reliable,â the post from ThreatFabric explained. “This consideration is confirmed by VirusTotal’s very low overall score of the number of 9 droppers we studied in this blog post.”
The family of malware responsible for the most infections is known as Anatsa. This “fairly advanced Android banking Trojan” offers a variety of capabilities, including remote access and automatic transfer systems, which automatically empty victims’ accounts and send content to accounts owned by malware operators.
The researchers wrote:
The infection process with Anatsa looks like this: at the start of the installation from Google Play, the user is forced to update the app in order to continue using the app. At the moment, [the] Anatsa’s payload is downloaded from the C2 server (s) and installed on the unsuspecting victim’s device.
The actors behind this have taken care to make their apps legitimate and useful. There are a large number of positive reviews for the apps. The number of installations and the presence of notices can convince Android users to install the app. In addition, these applications indeed have the claimed functionality; after installation they work normally and additionally convince [the] victim [of] their legitimacy.
Despite the overwhelming number of installations, not all devices that these droppers are installed on will receive Anatsa, as players have made efforts to target only the regions they are interested in.
Three other malware families discovered by the researchers included Alien, Hydra, and Ermac. One of the droppers used to download and install malicious payloads was known as Gymdrop. It used filter rules based on the model of the infected device to prevent targeting of researchers’ devices.
New training exercises
âIf all the conditions are met, the payload will be downloaded and installed,â the message reads. âThis dropper doesn’t ask for Accessibility Service privileges either; it simply asks for permission to install packages, along with the promise to install new training exercises, to trick the user into granting that permission. Once installed, the payload is launched. Our threat information shows that at present this dropper is being used to distribute [the] Extraterrestrial banking Trojan horse.
Researchers identified 12 Android apps that participated in the fraud. The applications are:
|Application name||Package name||SHA-256|
|Master live scanner||com.multifuction.combine.qr||7aa60296b771bdf6f2b52ad62ffd2176dc66cb38b4e6d2b658496a6754650ad4|
|QR scanner 2021||com.qr.code.generate||2db34aa26b1ca5b3619a0cf26d166ae9e85a98babf1bc41f784389ccc6f54afb|
|PDF Document Scanner – Scan to PDF||com.xaviermuches.docscannerpro2||2080061fe7f219fa0ed6e4c765a12a5bc2075d18482fa8cf27f7a090deca54c5|
|PDF document scanner||com.docscanverifier.mobile||974eb933d687a9dd3539b97821a6a777a8e5b4d65e1f32092d5ae30991d4b544|
|Free PDF Document Scanner||com.doscanner.mobile||16c3123574523a3f1fb24bbe6748e957afff21bef0e05cdb3b3e601a753b8f9d|
|Gym and fitness trainer||com.gym.trainer.games||30ee6f4ea71958c2b8d3c98a73408979f8179159acccc01b6fd53ccb20579b6b|
|Gym and fitness trainer||com.gym.trainer.games||b3c408eafe73cad0bb989135169a8314ae656357501683678eff9be9bcc618f|
Asked for comment, a Google spokesperson highlighted this April post detailing the company’s methods of detecting malicious apps submitted to Play.
Over the past decade, malicious apps have regularly plagued Google Play. As it did this time around, Google rushes to remove fraudulent apps once it finds out, but the company has been chronically unable to find thousands of apps that have infiltrated the mess and infected people. thousands or even millions of users.
It is not always easy to spot these scams. Reading user reviews can help, but not always, as scammers often seed their submissions with fake reviews. Avoiding obscure apps with small user bases can also help, but this tactic would have been ineffective in this case. Users should also think carefully before downloading any apps or app updates from third-party marketplaces.
The best advice for staying safe from malicious Android apps is to be extremely thrifty when installing them. And if you haven’t used an app for a while, uninstalling it is a good idea.