In total, 4 different banking trojan malware disguised as cryptocurrency apps, QR code readers, PDF scanners, fitness monitors, etc. were identified on the Play Store.
Android smartphone users must beware of password-stealing Android banking trojan malware hidden in apps on Google Play Store, warns ThreatFabric’s cybersecurity researchers in their report titled “Deceive the Heavens to Cross the sea.”
According to the company’s analysis, the malware campaign impacted 300,000+ users and utilized malicious ad campaigns and phishing emails to lure victims into downloading the malicious apps.
4 Banking Trojans Hidden Inside Harmless Looking Apps
ThreatFabric researchers revealed that these trojans are disguised as cryptocurrency apps, QR code readers, PDF scanners, fitness monitors, etc. When researchers analyzed these apps, it was identified that the apps contained four different kinds of malware, the most dangerous being the Anatsa malware [Video].
It is worth noting that Anatsa is capable of stealing user credentials, passwords, and email addresses. Anatsa malware uses accessibility logging to record everything that appears on the user’s screen, and attackers use a keylogger to record all information a user entered into the device.
Another notorious malware Threatfabric researchers discovered was a banking trojan dubbed Alien. This malware can bypass the 2FA authentication mechanism. Additionally, Hydra and Ermac [Video] were the other malware families identified by ThreatFabric. And, researchers noted that one of the many droppers used to download/install malicious payloads was Gymdrop.
How Malware Invades Devices?
Researchers maintain that the campaign involves delivering a benign app, and once it gets installed, the malware operators send users messages to download updates and install additional app features. All the infected apps require updates to be downloaded from third-party sources.
However, since the user trusts the app, no suspicion arises. In fact, on VirusTotal, a majority of these apps had zero detections by malware checkers initially.
Furthermore, the apps use other mechanisms to infect the devices, such as operators manually installing malicious updates after identifying the geographic location of the infected Android device or incrementally updating the smartphone.
Over 300,000 Users Impacted
Reportedly, the malicious apps are equipped with advertising features to evade detection or suspicion about their real intention. All four malware can easily bypass Play Store’s detection mechanisms (Play Protect) and mainly target Android devices.
Moreover, the concerning aspect is that the apps collectively boast over 300,000 downloads by Android users. Researchers found that more than 200,000 Android users have installed the apps laced with Anatsa. 50,000 users downloaded a QR code scanning app, and its download page on Google Play Store showed overwhelmingly positive reviews. Alien malware apps boasted 95,000 downloads.
“Actors behind it took care of making their apps look legitimate and useful. There are large numbers of positive reviews for the apps. The number of installations and the presence of reviews may convince Android users to install the app. Moreover, these apps indeed possess the claimed functionality, after installation, they do operate normally and further convince victims in their legitimacy,” researchers added.
If you are an Android user avoid downloading unnecessary apps from Google Play Store or third-party marketplaces. Additionally, use reliable anti-malware software, scan your device regularly and keep the device’s operating system updated.