Google Play apps downloaded 300,000 times stole bank credentials


Google Play apps downloaded 300,000 times stole bank credentials

Researchers said they discovered a batch of apps downloaded from Google Play more than 300,000 times before the apps were revealed to be banking Trojans that surreptitiously bypassed user passwords and two-factor authentication codes, logged keystrokes, and took screenshots of screen.

The apps, posing as QR scanners, PDF scanners, and cryptocurrency wallets, belonged to four different Android malware families that were distributed over a four-month period. They used various tricks to circumvent the restrictions that Google has devised in an attempt to curb the endless distribution of rogue apps on its official market. Those limitations include restricting the use of accessibility services for visually impaired users to prevent automatic installation of applications without user consent.

Small footprint

“What makes these Google Play distribution campaigns very difficult to detect from an automation (sandbox) and machine learning perspective is that all dropper applications have a very small malicious footprint,” wrote researchers from the security firm. ThreatFabric mobile in a mail. “This small footprint is a (direct) consequence of the permission restrictions imposed by Google Play.”

Instead, the campaigns generally delivered a benign app initially. After it was installed, users received messages instructing them to download updates that installed additional features. Applications often required updates to be downloaded from third-party sources, but by then many users had come to trust them. Most of the apps initially had no detections from the malware checkers available on VirusTotal.

ThreatFabric

The apps also went unnoticed through the use of other mechanisms. To do this, malware operators in many cases manually installed malicious updates only after verifying the geographical location of the infected phone or updating the phones incrementally.

“This incredible focus on avoiding unwanted attention makes automated malware detection less reliable,” explains the ThreatFabric publication. “This consideration is confirmed by the very low VirusTotal total score of the 9 droppers we investigated in this blog post.”

The malware family responsible for the highest number of infections is known as Anatsa. This “fairly advanced Android banking Trojan” offers a variety of capabilities, including remote access and automatic transfer systems, which automatically empties victims’ accounts and sends them to those belonging to malware operators.

The researchers wrote:

The infection process with Anatsa looks like this: when starting the installation from Google Play, the user is forced to update the application in order to continue using it. At this time, the Anatsa payload is downloaded from the C2 servers and installed on the unsuspecting victim’s device.

The actors behind this took it upon themselves to make their apps appear legitimate and useful. There are a lot of positive reviews for the apps. The number of installs and the presence of reviews can convince Android users to install the app. Furthermore, these applications possess the claimed functionality, after installation they operate normally and further convince the victim of their legitimacy.

Despite the overwhelming number of installations, not all devices that have these drippers installed will receive Anatsa, as the actors made efforts to target only the regions of their interest.

ThreatFabric

Three other malware families found by the researchers were Alien, Hydra, and Ermac. One of the droppers used to download and install malicious payloads was known as Gymdrop. It used filtering rules based on the model of the infected device to avoid targeting the investigator’s devices.

New training exercises

“If all the conditions are met, the payload will be downloaded and installed,” the post stated. ‚ÄúThis eyedropper also does not request accessibility service privileges, it only requests permission to install packages, spiced up with the promise of installing new training exercises, to entice the user to grant this permission. When installed, the payload starts. Our threat intelligence shows that this dropper is currently being used to distribute the Alien banking Trojan. “

The researchers listed 12 Android apps that participated in the fraud. The applications are:

App name Package name SHA-256
Two-factor authenticator com.flowdivison a3bd136f14cc38d6647020b2632bc35f21fc643c0d3741caaf92f48df0fc6997
Protection guard com.protectionguard.app d3dc4e22611ed20d700b6dd292ffddbc595c42453f18879f2ae4693a4d4d925a
QR CreatorScanner com.ready.qrscanner.mix ed537f8686824595cb3ae45f0e659437b3ae96c0a04203482d80a3e51dd915ab
Live Master Scanner com.multifuction.combine.qr 7aa60296b771bdf6f2b52ad62ffd2176dc66cb38b4e6d2b658496a6754650ad4
QR scanner 2021 com.qr.code.generate 2db34aa26b1ca5b3619a0cf26d166ae9e85a98babf1bc41f784389ccc6f54afb
QR scanner com.qr.barqr.scangen d4e9a95719e4b4748dba1338fdc5e4c7622b029bbcd9aac8a1caec30b5508db4
PDF Document Scanner – Scan to PDF com.xaviermuches.docscannerpro2 2080061fe7f219fa0ed6e4c765a12a5bc2075d18482fa8cf27f7a090deca54c5
PDF document scanner com.docscanverifier.mobile 974eb933d687a9dd3539b97821a6a777a8e5b4d65e1f32092d5ae30991d4b544
Free PDF Document Scanner com.doscanner.mobile 16c3123574523a3f1fb24bbe6748e957afff21bef0e05cdb3b3e601a753b8f9d
CryptoTracker cryptolistapp.app.com.cryptotracker 1aafe8407e52dc4a27ea800577d0eae3d389cb61af54e0d69b89639115d5273c
Gym and fitness trainer com.gym.trainer.games 30ee6f4ea71958c2b8d3c98a73408979f8179159acccc01b6fd53ccb20579b6b
Gym and fitness trainer com.gym.trainer.games b3c408eafe73cad0bb989135169a8314aae656357501683678eff9be9bcc618f

ThreatFabric

When asked for a comment, a Google spokesperson noted this post April detailing the company’s methods of detecting malicious apps submitted to Play.

Malicious apps have plagued Google Play on a regular basis over the past decade. As was the case this time, Google is quick to remove rogue apps once they are notified, but the company has been chronically unable to find thousands of apps that have infiltrated the bazaar and infected thousands or even millions of users. .

It is not always easy to spot these scams. Reading user reviews can help, but not always, as criminals often seed their posts with fake reviews. Staying away from obscure apps with small user bases can also help, but would have been ineffective in this case too. Users should also take a long pause before downloading apps or app updates from third-party markets.

The best advice to stay safe from malicious Android apps is to be extremely sparing when installing them. And in case you haven’t used an app in a while, uninstalling it is a good idea.


arstechnica.com

Leave a Reply

Your email address will not be published.