Android users downloaded Trojan malware apps that steal banking info

Android users downloaded Trojan malware apps that steal banking info
  • Cybersecurity researchers at ThreatFabric discovered four Android banking trojans that were spread through the official Google Play store between August and November 2021. 
  • The malware infected more than 300,000 devices through multiple droppers. 
  • GooglePlay store restrictions were bypassed by reducing the app’s footprint.

Researchers from ThreatFabric discovered four Android banking trojans that were downloaded from Google Play more than 300,000 times.

Threat actors are refining their techniques to bypass security checks implemented by Google for its Play Store.

A trick to bypass the checks involves introducing carefully planned small malicious code updates over a longer period in Google Play. Another technique used by the threat actors involves designing look-alike command-and-control (C2) websites that match the theme of the dropper app to slip past conventional detection methods.

“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization,” reads the analysis published by the experts. 

“VirusTotal does not showcase the evolution of detections of antivirus products over time, but almost all campaigns have or had a 0/62 FUD score on VirusTotal at some point in time, confirming the difficulty of detecting dropper apps with a minimal footprint.”

The droppers were designed to distribute the Android banking trojan Anatsa, Alien, ERMAC, and Hydra.

Below is the list of dropper apps used to distribute the above banking trojan:

  • Two Factor Authenticator 
  • Protection Guard 
  • QR CreatorScanner 
  • Master Scanner Live 
  • QR Scanner 2021 
  • QR Scanner 
  • PDF Document 
  • Scanner – Scan to PDF
  • PDF Document Scanner 
  • PDF Document Scanner Free 
  • CryptoTracker 
  • Gym and Fitness Trainer 

Anatsa has been installed by over 200,000 Android users and is the most prolific of the four malware. It is an advanced banking trojan that can steal usernames and passwords and uses accessibility logging to capture everything shown on the user’s screen. At the same time, a keylogger allows attackers to record all information entered into the phone. 

Researchers were able to identify six different malicious apps designed to deliver the malware. These include apps posed as QR code scanners, PDF scanners and cryptocurrency apps, all of which deliver the malware.

QR code scanner has been installed by 50,000 users alone, and the download page features a lot of positive reviews.

Alien is an Android banking trojan that can steal two-factor authentication capabilities. The malware has received 95,000installations via malicious apps in the Play Store.

After the initial download, users are forced to update the app to continue using it – it’s this update connects to a command and control server and downloads the Anatsa payload onto the device, providing attackers with the means to steal banking details and other information.

ThreatFabric has linked Hydra and Ermac to Brunhilda, a cybercriminal group that targets Android devices with banking malware. Both Hydra and Ermac provide attackers with access to the device required to steal banking information.

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin, and Twitter.

You may be interested in reading: How to Survive the COVID Time Cyber ​​Security Threats?

The post Android users downloaded Trojan malware apps that steal banking info appeared first on SecureReading.

This content was originally published here.

Laat een reactie achter

Het e-mailadres wordt niet gepubliceerd.