Hackers are actively finding new ways to circumvent Google Play security filters and conduct significant banking trojan campaigns.
More Than 300,000 Banking Trojan Infections In 4 Months
Bypassing Google Play Store app restrictions, cybercrooks have compromised Android devices with more than 300,000 banking trojan installations over just the past four months.
Threat Fabric researchers explained that the threat actors had improved their ability to exploit Google Play to spread this kind of malicious apps by shrinking the footprint of their dropper apps. As a result, they’re able to eliminate the number of permissions that the official app marketplace asks for and boost the general quality of the attack. They’ve also improved the codes they use and their convincing companion malicious websites.
Droppers function as first-stage implants and are designed to fetch and install other final payloads – case in point, banking trojans. The report also offers examples of threat actors’ creativity when it comes to sneaking these trojans onto the Android app marketplace – they disguised a dropper as a fitness service with an actual functioning back-end site to match.
“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world,” the Threat Fabric researchers added. “This makes automated detection a much harder strategy to adopt by any organization.”
All banking trojan installs came from four malware families, according to the report: Anatsa (200,000+ installs), Alien (95,000+), and Hydra/Ermac (15,000+).
The report reveals that Threat Fabric first spotted the Anasta threat actors using Google Play malware dropper apps in January. The Anasta trojan has dangerous capabilities, including stealing credentials, keylogging, and even screen recording. The Anasta infections spread through fake QR codes or PDF scanners and cryptocurrency apps.
“Anatsa is a rather advanced Android banking trojan with RAT and semi-ATS capabilities. It can also perform classic overlay attacks in order to steal credentials, accessibility logging (capturing everything shown on the user’s screen), and keylogging. Previously ThreatFabric reported cases when Anatsa was distributed side-by-side with Cabassous in smishing campaigns all over Europe. Our latest findings show that Anatsa now utilizes Google Play dropper apps.”
Once the bogus app is downloaded and installed from Google Play, the user is required to allow an update in order to use it. Unfortunately, the update is nothing else than the Anatsa malware.
“Actors behind it took care in making their apps look legitimate and useful,” the analysts said. “There are large numbers of positive reviews for the apps. The number of installations and presence of reviews may convince Android users to install the app. Moreover, these apps indeed possess the claimed functionality, after installation they do operate normally and further convince victim in their legitimacy.”
Hydra, Ermac and Alien Infections
According to the report, these installs were linked to the Brunhilda threat group, which was spotted using a bogus QR code-scanning app to propagate both Hydra and Ermac malware families.
A dropper app called “GymDrop” used “exercise update” notifications to fool victims into downloading the Alien banking trojan.
“The Alien samples of this campaign connect to the same C2 as samples from previously described campaign powered by Brunhilda dropper,” the report said.
The report warned that hacking groups are constantly evolving and adapting to work around automated filters and defenses.
“There is only so much protection you can have when app stores are inherently reactive in detecting abusive apps,” John Bambenek, principal threat hunter at Netenrich, said. “The same benefit application developers have in choosing the Android ecosystem are the same benefits criminals are going to use.”
Threat Fabric 300.000+ infections via Droppers on Google Play Store