Malware operations distributing Android Malware that hijacks online bank passwords have affected around 300,000 devices through the malicious applications inset through Google’s Play Store. The Android banking Trojans transmitted onto the negotiated devices attempt to hijack users’ credentials when they are login to an online banking or cryptocurrency application.
Credential theft is usually done by utilizing fake bank login covers displayed on top of the appropriate application’s login screens. The hijacked passwords are then sent back to the threat actors’ servers, where they are gathered to be sold to other attackers or utilized to hijack cryptocurrency and money from victims’ accounts.
Undeveloped Techniques to avoid Detection
In a new report by our Xiarch Solutions, the security investigators explain how they found four different malware dropper operations distributing banking malware on the Google Play store. While the attackers are infiltrating the Google Play Store with Android banking Trojans is nothing new, recent changes to Google’s policies and enhanced policing have forced the attackers to evolve their techniques to avoid detections.
This evolution includes creating small realistic-looking apps that focus on common themes such as fitness, cryptocurrency, QR codes, and PDF scanning to trick users into installing the app. Then, to add further legitimacy to the apps, the threat actors create websites that fit the theme of the app to help pass reviews by Google.
Furthermore, Xiarch has seen these apps only being distributed to specific regions or at later dates to further evade detection by Google and antivirus vendors. “This policing by Google have forced actors to find ways to significantly reduce the footprint of dropper apps. Besides improved malware code efforts, Google Play distribution campaigns are also more refined than previous campaigns,” Xiarch researchers explain in their new report.
“For example, by introducing carefully planned small malicious code updates over a longer period in Google Play, as well as sporting a dropper C2 backend to fully match the theme of the dropper app (for example a working Fitness website for a workout focused app).”
However, once these “dropper” apps are installed, they will silently communicate with the threat actor’s server to receive commands. When ready to distribute the banking Trojan, the threat actor’s server will tell the installed app to perform a fake “update” that “drops” and launches the malware on the Android device.
Around 16 Applications are Affected 300,000 devices
Since July 2021, Xiarch has these fake applications dropping four different banking Trojans named ‘Alien’, ‘Hydra’, ‘Ermac’, and ‘Anatsa’ through sixteen different applications.
The “dropper” apps known to be used during these malware distribution campaigns are:
- Two Factor Authenticator
- Protection Guard
- QR CreatorScanner
- Master Scanner
- QR Scanner 2021
- QR Scanner
- PDF Document Scanner – Scan to PDF
- PDF Document Scanner
- PDF Document Scanner Free
- CryptoTracker
- Gym and Fitness Trainer
Other malicious apps seen installed by the above droppers and their associated banking trojans are:
- Master Scanner Live (Alien trojan)
- Gym and Fitness Trainer (Alien trojan)
- PDF AI: TEXT RECOGNIZER (Anatsa trojan)
- QR CreatorScanner (Hydra trojan)
- QR CreatorScanner (Ermac trojan)
During these four months of malicious activity, Xiarch Solutions found that the droppers were installed 300,000 times, with some individual droppers installed over 50,000 times. The number of banks, money transfer apps, cryptocurrency exchanges, cryptocurrency wallets, and mail services is impressive, with approximately 537 online sites and mobile apps targeted for credential theft.
The targeted organizations include Gmail, Chase, Citibank, HSBC, Coinbase, Kraken, Binance, KuCoin, CashApp, Zelle, TrustWallet, MetaMask, and more. Google has since removed all of these malicious apps from the Play Store and you should also immediately remove them from your Android device if you have any of them installed.
If you have installed any of the above apps, you should immediately remove them from your Android device. Moreover, due to the evolving techniques used by Android malware developers, users must pay more attention to the permissions requested by apps and block the install if they seem overly broad.
