[ad_1]
The researchers said they were unveiled a batch of apps that have been downloaded from Google Play more than 300,000 times before revealing that the apps are bank Trojans that secretly retrieve user passwords and two-factor authentication codes, register keystrokes, and take screenshots.
The apps – posing as QR scanners, PDF scanners and cryptocurrency wallets – belonged to four separate families of Android malware that had been circulating for four months. They used several tricks to circumvent the restrictions that Google invented in an attempt to control the endless proliferation of fraudulent applications in its official market. These restrictions include limiting the use of accessibility services for visually impaired users to prevent automatic installation of applications without the user’s consent.
A small imprint
“What makes these Google Play distribution campaigns very difficult to detect in terms of automation (sandboxing) and machine learning is that all dropper applications have a very small malicious footprint,” researchers from the company wrote in a statement. mobile security ThreatFabric. “This small footprint is a (direct) consequence of the permission restrictions imposed by Google Play.”
Instead, campaigns usually delivered a benign application in the beginning. After installing the app, users received messages instructing them to download updates that installed additional features. Applications often require updates to be downloaded from third-party sources, but by then many users have begun to trust them. Most of the applications initially had zero malware detections available on VirusTotal.
Applications also flew under the radar using other mechanisms. In many cases, malware operators manually install malicious updates only after checking the geographic location of the infected phone or by updating the phones gradually.
“This incredible attention to avoiding unwanted attention makes the automatic detection of malware less reliable,” explains the ThreatFabric publication. “This consideration is confirmed by the very low overall rating of VirusTotal from the 9 droppers we examined in this blog post.”
The family of malware responsible for the largest number of infections is known as Anatsa. This “sophisticated Android banking Trojan” offers a variety of features, including remote access and automatic transfer systems that automatically empty victims’ accounts and send content to accounts belonging to malware operators.
The researchers wrote:
The process of getting infected with Anatsa looks like this: when starting the installation from Google Play, the user is forced to update the application to continue using the application. In this moment, [the] The Anatsa payload is downloaded from the C2 server (s) and installed on the device of the unsuspecting victim.
The actors behind it made their applications look legitimate and useful. There are a large number of positive reviews for the applications. The number of installations and the availability of reviews can convince Android users to install the application. In addition, these applications do have the claimed functionality; after installation they work normally and further convince [the] victim [of] their legitimacy.
Despite the huge number of installations, not every device on which these droppers are installed will receive Anatsa, as the actors made an effort to target only the regions that interest them.
Three other families of malware discovered by researchers include Alien, Hydra and Ermac. One of the droppers used to download and install malicious payloads was known as Gymdrop. It uses filtering rules based on the model of the infected device to prevent targeting of research devices.
New exercises for training
“If all conditions are met, the payload will be downloaded and installed,” the publication said. “This dropper also does not require accessibility service privileges; he simply wants permission to install packages, forged with the promise to install new workout exercises – to entice the user to give that permission. When installed, the payload starts. Our threat intelligence shows that this dropper is currently being used for distribution [the] An alien bank Trojan horse. “
Asked for comment, a Google spokesman cited the April post, which detailed the company’s methods for detecting malicious apps sent to Play.
[ad_2]
Source link