More than 300,000 Google Play Store users have been infected with Android banking trojans, according to a new report fromย ThreatFabric, a mobile security company.
Last month, security researchers from ThreatFabricย discovered four different malware dropper campaigns distributing banking trojans on the Google Play Store. These are primarily part of four malware families โ Anatsa, Alien, Hydra, and Ermac, which were distributed between August and November 2021 and downloaded over 300,000 times.
These maliciousย Androidย apps posed asย QR Scanner, QR Scanner 2021, PDF Document Scanner, PDF Document Scanner Free, Two Factor Authenticator, Protection Guard, QR CreatorScanner, Master Scanner Live, CryptoTracker, and Gym and Fitness Trainer.
During the research dedicated to the distribution techniques of different malware families, ThreatFabric analysts found numerous droppers located in Google Play, designed to distribute specifically the banking trojan Anatsa.
Anatsa was discovered by ThreatFabric in January 2021. It is a rather advanced Android banking trojan with RAT and semi-ATS capabilities. It can also perform classic overlay attacks in order to steal credentials, accessibility logging (capturing everything shown on the userโs screen), and keylogging.
The first dropper was discovered in June 2021 masquerading as an app for scanning documents. In total, ThreatFabric analysts were able to identify 6 Anatsa droppers published in Google Play since June 2021.
These apps posed as QR code scanners, PDF scanners, and cryptocurrency apps. One dropper app was installed more thanย 50,000ย times, with the combined total of installations of all droppers reaching more thanย 100,000ย installations.
โActors behind it took care in making their apps look legitimate and useful. There are large numbers of positive reviews for the apps. The number of installations and the presence of reviews may convince Android users to install the app. Moreover, these apps indeed possess the claimed functionality, after installation they do operate normally and further convince victim in their legitimacy,โ the researchers noted.
Additionally, there were dropper installations from Alien (95,000+) and Hydra/Ermac (15,000+) malware families too. While Alien can steal important information even from a two-factor authentication process, the other two provide attackers with access to the device required to steal usersโ banking information.
The dropper apps have a very small malicious footprint, which is a (direct) consequence of the permission restrictions enforced by Google Play.
A good example is the modification introduced onย November 13th, 2021 by Google, which limits the use of the Accessibility Services, which was abused by earlier dropper campaigns to automate and install apps without user consent.
“This policing by Google has forced actors to find ways to significantly reduce the footprint of dropper apps. Besides improved malware code efforts, Google Play distribution campaigns are also more refined than previous campaigns,” ThreatFabric researchers explained in their report.
“For example, by introducing carefully planned small malicious code updates over a longer period in Google Play, as well as sporting a dropper C2 backend to fully match the theme of the dropper app (for example a working Fitness website for a workout focused app).”
To make themselves even more difficult to detect by Google and antivirus vendors, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device to target a specific region of the world or at later dates to further evade detection. This makes automated detection a much harder strategy to adopt by any organization.
As a result, almost all of the trojans have or had a 0/62 FUD score on VirusTotal at some point in time, confirming the difficulty of detecting dropper apps with a minimal footprint.
โIn the span of onlyย 4ย months,ย 4ย large Android families were spread via Google Play, resulting inย 300,000+ย infections via multiple dropper apps. A noticeable trend in the new dropper campaigns is that actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques,โ concludes the report.
โThe small malicious footprint is a result of the new Google Play restrictions (current and planned) to put limitations on the use of privacy concerning app permissions.โ
After the discovery of the malicious apps, ThreatFabric reported all of them to Google, which has now been removed from the Play Store as confirmed by a Google spokesperson to ZDNet.
“The Android banking malware echo-system is evolving rapidly. These numbers that we are observing now are the result of a slow but inevitable shift of focus from criminals towards the mobile landscape. With this in mind, the Google Play Store is the most attractive platform to use to serve malware,” Dario Durando, mobile malware specialist at ThreatFabric, told ZDNet.
“A good rule of thumb is to always check updates and always be very careful before granting accessibility services privileges โ which will be requested by the malicious payload, after the “update” installation โ and be wary of applications that ask to install additional software,” recommended Durando to users to avoid infection.