The researchers said they discovered a batch of apps downloaded from Google Play more than 300,000 times before the apps were revealed to be banking Trojans that surreptitiously extracted user passwords and two-factor authentication codes, logged keystrokes, and took screenshots of. screen.
The apps, posing as QR scanners, PDF scanners, and cryptocurrency wallets, belonged to four different Android malware families that were distributed over four months. They used various tricks to circumvent the restrictions that Google has devised in an attempt to curb the endless distribution of rogue apps on its official market. Those limitations include restricting the use of accessibility services for visually impaired users to prevent automatic installation of applications without user consent.
“What makes these Google Play distribution campaigns very difficult to detect from an automation (sandbox) and machine learning perspective is that all dropper applications have a very small malicious footprint,” wrote researchers from the security firm. ThreatFabric mobile in a post. “This small footprint is a (direct) consequence of the permission restrictions imposed by Google Play.”
Instead, the campaigns generally delivered a benign app at first. After the application was installed, users received messages instructing them to download updates that installed additional features. The applications often required the download of updates from third-party sources, but by then many users had come to trust them. Most of the applications initially had no detections from the malware checkers available on VirusTotal.
The apps also went unnoticed through the use of other mechanisms. In many cases, malware operators manually installed malicious updates only after verifying the geographic location of the infected phone or updating the phones incrementally.
“This incredible focus on avoiding unwanted attention makes automated malware detection less reliable,” explains ThreatFabric. “This consideration is confirmed by the very low VirusTotal total score of the 9 droppers we investigated in this blog post.”
The malware family responsible for the highest number of infections is known as Anatsa. This “fairly advanced Android banking Trojan” offers a variety of capabilities, including remote access and automatic transfer systems, which automatically flush victims’ accounts and deliver content to accounts owned by malware operators.
The researchers wrote:
The infection process with Anatsa looks like this: at the beginning of the installation from Google Play, the user is forced to update the application to continue using it. At this time, [the] The Anatsa payload is downloaded from the C2 servers and installed on the unsuspecting victim’s device.
The actors behind this took it upon themselves to make their apps appear legitimate and useful. There are a lot of positive reviews for the apps. The number of installs and the presence of reviews can convince Android users to install the app. Furthermore, these applications possess the declared functionality; after installation they work normally and convince even more [the] victim [of] its legitimacy.
Despite the overwhelming number of installations, not all devices that have these drippers installed will receive Anatsa, as the actors made efforts to target only the regions of their interest.
Three other malware families found by the researchers were Alien, Hydra, and Ermac. One of the droppers used to download and install malicious payloads was known as Gymdrop. It used filtering rules based on the model of the infected device to avoid targeting the investigator’s devices.
New training exercises
“If all the conditions are met, the payload will be downloaded and installed,” the publication stated. “This eyedropper is also not requesting accessibility service privileges; it simply requests permission to install packages, spiced up with the promise to install new training exercises, to prompt the user to grant this permission. Once installed, the payload starts. Our threat intelligence shows that this eyedropper is currently being used to distribute [the] Foreign banking Trojan “.
The researchers listed 12 Android apps that participated in the fraud. The applications are:
|App name||Package name||SHA-256|
|Live Master Scanner||com.multifuction.combine.qr||7aa60296b771bdf6f2b52ad62ffd2176dc66cb38b4e6d2b658496a6754650ad4|
|QR scanner 2021||com.qr.code.generate||2db34aa26b1ca5b3619a0cf26d166ae9e85a98babf1bc41f784389ccc6f54afb|
|PDF Document Scanner – Scan to PDF||com.xaviermuches.docscannerpro2||2080061fe7f219fa0ed6e4c765a12a5bc2075d18482fa8cf27f7a090deca54c5|
|PDF document scanner||com.docscanverifier.mobile||974eb933d687a9dd3539b97821a6a777a8e5b4d65e1f32092d5ae30991d4b544|
|Free PDF Document Scanner||com.doscanner.mobile||16c3123574523a3f1fb24bbe6748e957afff21bef0e05cdb3b3e601a753b8f9d|
|Gym and fitness trainer||com.gym.trainer.games||30ee6f4ea71958c2b8d3c98a73408979f8179159acccc01b6fd53ccb20579b6b|
|Gym and fitness trainer||com.gym.trainer.games||b3c408eafe73cad0bb989135169a8314aae656357501683678eff9be9bcc618f|
When asked for comment, a Google spokesperson pointed to this April post detailing the company’s methods of detecting malicious apps submitted to Play.
Malicious apps have plagued Google Play on a regular basis over the past decade. As was the case this time, Google is quick to remove rogue apps once it has been notified of them, but the company has been chronically unable to find thousands of apps that have infiltrated the bazaar and infected thousands or even millions. of users.
It is not always easy to spot these scams. Reading user reviews can help, but not always, as criminals often seed their posts with fake reviews. Staying away from shady apps with small user bases can help too, but that tactic would have been ineffective in this case. Users should also think carefully before downloading apps or app updates from third-party markets.
The best advice to stay safe from malicious Android apps is to be extremely sparing when installing them. And if you haven’t used an app in a while, uninstalling it is a good idea.