Over 300,000 Android smartphone users have downloaded what have turned out to be banking trojans after falling victim to malware which has bypassed detection by the Google Play app store.
Detailed by cybersecurity researchers at ThreatFabric, the four different forms of malware are delivered to victims via malicious versions of commonly downloaded applications, including document scanners, QR code readers, fitness monitors and cryptocurrency apps. The apps often come with the functions which are advertised in order to avoid users getting suspicious.
In each case, the malicious intent of the app is hidden and the process of delivering the malware only begins once the app has been installed, enabling them to bypass Play Store detections.
The most prolific of the four malware families is Anatsa, which has been installed by over 200,000 Android users – researchers describe it as an “advanced” banking trojan which can steal usernames and passwords, and uses accessibility logging to capture everything shown on the user’s screen, while a keylogger allows attackers to record all information entered into the phone.
Anasta malware has been active since January, but appears to have received a substantial push since June – researchers were able to identify six different malicious applications designed to deliver the malware. These include apps which posed as QR code scanners, PDF scanners and cryptocurrency apps, all of which deliver the malware.
One of these apps is a QR code scanner which has been installed by 50,000 users alone and the download page features a large number of positive reviews, something which can encourage people to download the app. Users are directed to the apps via phishing emails or malicious ad campaigns.
After the initial download, users are forced to update the app to continue using it – it’s this update which connects to a command and control server and downloads the Anatsa payload onto the device, providing attackers with the means to steal banking details and other information.
The second most prolific of the malware families detailed by researchers at ThreatFabric is Alien, an Android banking trojan which can also steal two-factor authentication capabilities and which has been active for over a year. The malware has received 95,000 installations via malicious apps in the Play Store.
SEE: A winning strategy for cybersecurity (ZDNet special report)
One of these is a gym and fitness training app which when comes with a supporting website designed to enhance the legitimacy, but close inspection of the site reveals placeholder text all over it. The website also serves as the command and control centre for the Alien malware.
Like Anasta, the initial download doesn’t contain malware, but users are asked to install a fake update – disguised as a package of new fitness regimes – which distributes the payload.
The other two forms of malware which have been dropped using similar methods in recent months are Hydra and Ermac, which have a combined total of at least 15,000 downloads. ThreatFabric has linked Hydra and Ermac to Brunhilda, a cyber criminal group known to target Android devices with banking malware. Both Hydra and Ermac provide attackers with access to the device required to steal banking information.
ThreatFabric has reported all of the malicious apps to Google and they’ve either already been removed or are under review. Cyber criminals will continually attempt to find ways to bypass protections to deliver mobile malware, which is becoming increasingly attractive to cyber criminals.
“The Android banking malware echo-system is evolving rapidly. These numbers that we are observing now are the result of a slow but inevitable shift of focus from criminals towards the mobile landscape. With this in mind, the Google Play Store is the most attractive platform to use to serve malware,” Dario Durando, mobile malware specialist at ThreatFabric told ZDNet.
The convincing nature of the malicious apps means that they can be hard to identify as a potential threat, but there are steps users can take to avoid infection
“A good rule of thumb is to always check updates and always be very careful before granting accessibility services privileges – which will be requested by the malicious payload, after the “update” installation – and be wary of applications that ask to install additional software,” said Durando.
ZDNet attempted to contact Google for comment but hadn’t received a response at the time of publication.
MORE ON CYBERSECURITY