Beware Android users! You need to be much more careful while downloading apps even from a trusted and safe place like the Google Play Store.
Researchers at ThreatFabric found that more than 300,000 unsuspecting Android users have downloaded the banking trojan malware apps such as document scanners, QR scanners, fitness monitors, and cryptocurrency trading platforms, which are meant to – but not limited to – steal the passwords.
What’s even more surprising is the fact that such apps are downloaded from none other than Google Play Store itself. Despite all the screening of restrictions designed by the Google Play Store, such apps managed to bypass the Google Play security measures.
All these dropper apps have an extremely small malicious footprint that makes them highly difficult to be detected. Just to make sure it looks genuine and users don’t suspect anything, in the start, these apps look just as benign as genuine ones, and not just this but these particular apps would advertise what they do in the most appealing way possible. And then the poor users fall prey to hackers once they have downloaded these apps. Once a user installs these legit apps that offer highly popular features like scanning QR Codes or monitoring health, malware is passed in updates of that apps and easily bypasses the security checked imposed by Google Play.
The most popular among the malware family is Anatsa that has been downloaded by more than 200,000 Android users. Researchers refer to it as an “advanced” banking trojan that is able to be able to steal passwords and usernames and utilizes accessibility logs to collect all information displayed on the screen of the user, and a keylogger permits hackers to capture all the information input through the phone.
Anasta threat has been in operation since January, however, it appears to have seen a significant increase since June. Researchers have been able to find six distinct malicious apps that are designed to distribute the malware. They included apps that were disguised as scanners for QR codes or PDF scanners as well as cryptocurrency applications and all of them are able to deliver the malware.
One of these applications is one that is a QR code scanner that is used by over 50,000 people and the download page contains a significant number of reviews that are positive which can motivate users to download the application. The users are then directed to apps through fake emails or fraudulent ad campaigns.
After initial downloading, customers are prompted to upgrade the app in order in order to use it again – in this upgrade, the app connects the Command and Control server. It then downloads the Anatsa payload to the device, thereby providing criminals with the opportunity to steal banking information and other details.
The second most popular among the families of malware analyzed by ThreatFabric researchers are Alien, an Android trojan that targets banks that also has the ability to take advantage of two-factor authentication and has been in operation for more than an entire year. It has received over 95,000 installs through malicious apps on the Play Store.
One of them is a fitness and gym training application that includes an accompanying website created to boost legitimacy however a closer inspection of the site will reveal the text of a placeholder all over it. It also functions as the control and command center to control this malware, known as the Alien malware.
As with Anasta like Anasta, the first download doesn’t include malware, however, users are required to download a fake version disguised as a bundle of fitness programs – which spreads the payload.
The two other forms of malware circulating with similar techniques in the last few months include Hydra as well as Ermac, which have a total of more than 15,000 downloads. ThreatFabric has connected Hydra as well as Ermac to Brunhilda the cyber-criminal group known for its ability to attack Android smartphones with bank malware. The two Hydra and Ermac give attackers an access point to the devices needed to access banking data.
On the positive side, Google has already introduced a few modifications to in-app policy on November 13th, 2021 that limit the use of Accessibility Service. The company expects that the policy change will curtail the exploitation rate of apps and provide a secure experience to all Android smartphone users.
Android has been struggling with malware-related issues for some time. However, in the era of smartphones and mobile internet, the threat has become much more prominent as a record number of users are relying on apps for their daily activities including banking. Last year also, a group of hackers targeted banking apps on Android platform to steal login credentials and leave the device prone to get hacked by other hackers.
As Apple has been constantly tightening its security policies and app screening processes, Android has been the favorite playground of hackers despite many new measures taken by Google. The openness and fragmentation are the primary reasons for such an increasing number of malware issues faced by millions of smartphone users worldwide.