More than 300,000 downloads by Android smartphone users have installed banking trojan malware hidden in apps available on the Google Play Store, according to cybersecurity researchers at ThreatFabric, whose analysis appears in their report titled “Trick the skies into crossing the sea.”
The researchers found that more than 200,000 Android users installed apps associated with Anatsa, 50,000 downloaded a QR code reader app whose Play Store download page had extremely positive reviews, and 95,000 downloaded alien malware apps. .
In total, the researchers detected four different banking trojans disguised as cryptocurrency apps, QR code readers, PDF scanners, fitness monitors, etc., all available on the Google webshop. Trojans steal passwords. According to the company’s analysis, hackers used malicious ad campaigns and phishing emails to entice victims to download malicious applications.
ThreatFabric researchers point out that Anatsa is able to steal user credentials, passwords and email addresses. The malware uses the accessibility log to record everything that appears on a user’s screen, and attackers use a keylogger to record all the information a user has entered on the device.
Another malware the researchers discovered was a banking Trojan dubbed the Alien. This malware is able to bypass the two-factor authentication mechanism (2FA). In addition to that, the ThreatFabric team detected Hydra and Ermac. The researchers also noticed that one of the many droppers used to download/install malicious payloads was Gymdrop.
The researchers say the campaign involves the delivery of a benign app, and once installed, malware operators send messages to users to download updates and install additional app features. All infected applications require updates to be downloaded from third party sources. As the user trusts the application, no suspicion arises. In fact, on VirusTotal, most of these applications didn’t get any detection by malware scanners initially.
In addition, the apps use other mechanisms to infect devices, such as operators who manually install malicious updates after identifying the geographical location of the infected Android device or incrementally update the smartphone.
Malicious applications are equipped with advertising features to avoid detection or suspicion about their real intent. All four malwares can easily bypass the Play Store’s detection mechanisms (Play Protect) and primarily target Android devices.
The operators behind these malware have taken it upon themselves to make their applications look legitimate and useful. There are a large number of positive reviews for the apps. The number of installs and the presence of comments can convince Android users to install them.