



Researchers said more than 300,000 times from Google Play before the app secretly soaked up user passwords and two-factor authentication codes, recorded keystrokes, and took screenshots before it was revealed to be a banking Trojan. He said he found a batch of downloaded apps.

The app, disguised as a QR scanner, PDF scanner and cryptocurrency wallet, belonged to four separate Android malware families distributed over four months. They used some tricks to circumvent the restrictions Google devised to curb the endless distribution of fraudulent apps on the official market. These restrictions include limiting the use of accessibility services for visually impaired users to prevent the app from being automatically installed without the user’s consent.

Small footprints

What makes these Google Play distribution campaigns very difficult to detect from an automation (sandbox) and machine learning perspective is that all the malicious footprints of the dropper app are very small, said mobile security company ThreatFabric. The researcher writes in the post. This small footprint is a (direct) result of permission restrictions enforced by Google Play.

Instead, campaigns usually initially offered harmless apps. After installing the app, the user received a message instructing them to download an update with additional features installed. In many cases, apps had to download updates from third-party sources, but by then many users have come to trust them. Most apps initially had zero detection by the malware checkers available on VirusTotal.

The app also flew under the radar using other mechanisms. In many cases, malware operators manually installed malicious updates only after verifying the geographic location of the infected phone or by updating the phone in stages.

According to a ThreatFabric post, this incredible precaution to avoid unnecessary attention makes automatic malware detection less reliable. This consideration is confirmed by the very low overall VirusTotal score of the nine droppers examined in this blog post.

The most infected malware family is known as Anatsa. This fairly advanced Android banking Trojan offers a variety of features such as remote access and automatic forwarding system. These systems automatically empty the victim’s account and send content to accounts belonging to the malware operator.

The researcher wrote:

The process of infecting Anatsa is as follows: At the start of the installation from Google Play, users will need to update the app to continue using it. At this moment, [the] The Anatsa payload is downloaded from the C2 server and installed on the unsuspecting victim’s device.

The actors behind it took care of the app to make it look legal and convenient. The app has a number of positive reviews. The number of installs and the presence of reviews can convince Android users to install the app. In addition, these apps do have the claimed features.After installation, they work fine and are even more convincing [the] victim [of] Their legitimacy.

Despite the overwhelming number of installations, not all devices with these droppers installed receive Anatsa. This is because the actors have endeavored to target only the areas of interest.

The other three malware families discovered by researchers included Alien, Hydra, and Ermac. One of the droppers used to download and install malicious payloads was known as Gymdrop. We used filter rules based on the model of the infected device to prevent targeting of researcher devices.

New training exercise

If all the conditions are met, the payload will be downloaded and installed, the post states. This dropper also does not require accessibility service permissions. Simply request permission to install the package and it will prompt you to install a new workout exercise and grant this permission to your users. Once installed, the payload will be launched.Our threat intelligence shows that this dropper is currently being used for distribution. [the] Alien Banking Trojan.

A Google spokeswoman who was asked to comment pointed out this post from April, detailing how companies can detect malicious apps sent to Play.

