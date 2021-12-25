



Targeting Itaú Unibanco, Brazil’s leading financial services provider with 55 million customers worldwide, the Android banking Trojan has unfolded a rare trick to spread to devices.

Actors set up a page very close to Android’s official Google Play app store to trick visitors into thinking they are installing the app from a trusted service.

Fake Play Store page that drops malicious APK Source: Cyble

The malware disguises itself as Itaú Unibanco’s official banking app and has the same icons as the legitimate app.

the user[インストール]At the click of the button, you will be offered to download the APK, which is the first sign of fraud. The Google Play Store app is installed through the store interface and does not require users to manually download and install the program.

APK Info Source: Cyble Hijacking Real App

Cyble researchers analyzed the malware and found that they were trying to open the actual Itaú app from the actual Play Store at runtime.

If successful, it will use the actual app to execute a malicious transaction by modifying the user’s input fields.

Modifying user input fields to execute a transaction Source: Cyble

The app does not require dangerous permissions during installation, avoiding suspicious or risky detections from AV tools.

Instead, it aims to take advantage of all the accessibility services that mobile malware needs to bypass all the security of Android systems.

As described in a recent report by Security Research Labs, we are currently addressing an accessibility abuse pandemic for Android malware, and Google has not yet filled in the targeted weaknesses.

As a result, only the user can detect signs of abuse and stop the malware before performing destructive actions on the device.

Malware requesting permission for action Source: Cyble

These signs are provided in the form of an app that requests permission to perform gestures, retrieve window content, and monitor user actions.

The website used to distribute the malicious APK was reported and is currently offline, but an attacker could return via another domain.

Use the actual banking app

If you want to enjoy the convenience of mobile electronic banking, please install the app from the official website of the bank or the Google Play store.

In addition, we will apply the update to the app as soon as it becomes available and use the AV tools of reputable vendors.

To maximize the security of your account, use a strong password and enable multi-factor authentication in your app.

If you need to install the APK from outside the store, carefully scrutinize the APK permission request during and after the installation.

Finally, make sure that Google Play Protect is enabled on your Android device on a regular basis.

Sources 1/ https://Google.com/ 2/ https://www.bleepingcomputer.com/news/security/android-banking-trojan-spreads-via-fake-google-play-store-page/

