More than 300,000 Google Play Store users have been infected with Android banking trojans, according to a new report from ThreatFabric, a mobile security company.
Last month, security researchers from ThreatFabric discovered four different malware dropper campaigns distributing banking trojans on the Google Play Store. These are primarily part of four malware families — Anatsa, Alien, Hydra, and Ermac, which were distributed between August and November 2021 and downloaded over 300,000 times.
These malicious Android apps posed as QR Scanner, QR Scanner 2021, PDF Document Scanner, PDF Document Scanner Free, Two Factor Authenticator, Protection Guard, QR CreatorScanner, Master Scanner Live, CryptoTracker, and Gym and Fitness Trainer.
During the research dedicated to the distribution techniques of different malware families, ThreatFabric analysts found numerous droppers located in Google Play, designed to distribute specifically the banking trojan Anatsa.
Anatsa was discovered by ThreatFabric in January 2021. It is a rather advanced Android banking trojan with RAT and semi-ATS capabilities. It can also perform classic overlay attacks in order to steal credentials, accessibility logging (capturing everything shown on the user’s screen), and keylogging.
The first dropper was discovered in June 2021 masquerading as an app for scanning documents. In total, ThreatFabric analysts were able to identify 6 Anatsa droppers published in Google Play since June 2021.
These apps posed as QR code scanners, PDF scanners, and cryptocurrency apps. One dropper app was installed more than 50,000 times, with the combined total of installations of all droppers reaching more than 100,000 installations.
“Actors behind it took care in making their apps look legitimate and useful. There are large numbers of positive reviews for the apps. The number of installations and the presence of reviews may convince Android users to install the app. Moreover, these apps indeed possess the claimed functionality, after installation they do operate normally and further convince victim in their legitimacy,” the researchers noted.
Additionally, there were dropper installations from Alien (95,000+) and Hydra/Ermac (15,000+) malware families too. While Alien can steal important information even from a two-factor authentication process, the other two provide attackers with access to the device required to steal users’ banking information.
The dropper apps have a very small malicious footprint, which is a (direct) consequence of the permission restrictions enforced by Google Play.
A good example is the modification introduced on November 13th, 2021 by Google, which limits the use of the Accessibility Services, which was abused by earlier dropper campaigns to automate and install apps without user consent.
“This policing by Google has forced actors to find ways to significantly reduce the footprint of dropper apps. Besides improved malware code efforts, Google Play distribution campaigns are also more refined than previous campaigns,” ThreatFabric researchers explained in their report.
“For example, by introducing carefully planned small malicious code updates over a longer period in Google Play, as well as sporting a dropper C2 backend to fully match the theme of the dropper app (for example a working Fitness website for a workout focused app).”
To make themselves even more difficult to detect by Google and antivirus vendors, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device to target a specific region of the world or at later dates to further evade detection. This makes automated detection a much harder strategy to adopt by any organization.
As a result, almost all of the trojans have or had a 0/62 FUD score on VirusTotal at some point in time, confirming the difficulty of detecting dropper apps with a minimal footprint.
“In the span of only 4 months, 4 large Android families were spread via Google Play, resulting in 300,000+ infections via multiple dropper apps. A noticeable trend in the new dropper campaigns is that actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques,” concludes the report.
“The small malicious footprint is a result of the new Google Play restrictions (current and planned) to put limitations on the use of privacy concerning app permissions.”
After the discovery of the malicious apps, ThreatFabric reported all of them to Google, which has now been removed from the Play Store as confirmed by a Google spokesperson to ZDNet.
“The Android banking malware echo-system is evolving rapidly. These numbers that we are observing now are the result of a slow but inevitable shift of focus from criminals towards the mobile landscape. With this in mind, the Google Play Store is the most attractive platform to use to serve malware,” Dario Durando, mobile malware specialist at ThreatFabric, told ZDNet.
“A good rule of thumb is to always check updates and always be very careful before granting accessibility services privileges – which will be requested by the malicious payload, after the “update” installation – and be wary of applications that ask to install additional software,” recommended Durando to users to avoid infection.
