A group of apps downloaded more than 300,000 times before they were discovered to be banking trojans that stole user passwords and two-factor authentication codes.
Four separate Android malware families were distributed over four months by the apps. They used a number of tricks to circumvent the restrictions that were put in place by the company. The use of accessibility services for sight-impaired users is restricted to prevent the automatic installation of apps without user consent.
The footprint is small.
Researchers from ThreatFabric wrote in a post that it was difficult to detect the distribution campaigns from an automation and machine learning perspective. The small footprint is a consequence of the permission restrictions enforced by the company.
The campaigns usually delivered a benign app. Users were told to download updates that added features after the app was installed. Many users came to trust the apps after they had to be downloaded from third-party sources. Most of the apps had no detections by the checkers.
The apps used other mechanisms to fly under the radar. In many cases, the operators manually install malicious updates after checking the phone's location or by updating the phone incrementally.
Advertisement
The ThreatFabric post explained that the attention devoted to evading unwanted attention renders automated detection less reliable. The low overall score of the 9 number of droppers we have investigated is confirmation of this consideration.
The Anatsa family is responsible for the largest number of infections. The banking trojan has a number of capabilities, including remote access and automatic transfer systems, which empty victims' accounts and send the contents to accounts belonging to the operators.
The researchers wrote about it.
The process of infection with Anatsa looks like this: the user is forced to update the app in order to continue using it after installation. The Anatsa payload is downloaded from the C2 server and installed on the victim's device.
>
The actors behind it made their apps look legit. There are many positive reviews for the apps. The number of reviews and installations may convince users to install the app. These apps operate normally and convince the victim of their legitimacy after installation.
>
Despite the overwhelming number of installations, not every device that has these droppers installed will receive Anatsa, as the actors made efforts to target only regions of their interest.
Alien, Hydra, and Ermac were found by the researchers. Gymdrop was one of the droppers used to download and install malicious software. It used filters based on the model of the device to prevent it from being targeted.
Advertisement
There are new workout exercises.
The post stated that if all conditions are met, the payload will be downloaded and installed. The dropper does not request accessibility service privileges, it just requests permission to install packages, spiced with the promise to install new workout exercises, to entice the user to grant this permission. When installed, it is launched. The dropper is being used to distribute a banking trojan.
There are 12 apps that participated in the fraud. The apps are available for download.
App name.
The package name.
It is called the SHA-256.
Two Factor Authenticator is used.
com.flowdivison
A3bd136f14cc38d6637020b2632bc35f21
The protection guard is made up of people.
Protectionguard.app is a website.
d3dc4e22611ed20d700b6dd29ffdd
The creator of theScanner is a person.
com. ready.
ed537f8686824595cb3ae45f0e659437b3ae 96c0a03203482d80a3e51dd915ab
The Master Scanner is live.
com.multifuction.
7aa60 776bdf6f2b52ad62ffd2
The QR Scanner will be in use in 2021.
Code.generate.
2db34aa26b1ca5b3619a0
A scanning device called a qr.
com.
d4e9a95719e4b4748dba1338fdc5e4c7622b029
PDF document scanning
com.docscannerpro2
2080061fe7f219fa0ed6e4c765a12a5
PDF document reader.
The com.docscanverifier is mobile.
955d687a9dd3539b 971a6a777a8e5b4d65e1f320 92d5ae30991d4b
PDF document scanning is free.
Doscanner is a mobile application.
16c3123574523a3f1fb 24bbe6748e957afff21bef0e05cdb3b3e753b8f9d
It is a tracker of the stock market.
There is a website called the "cryptolistapp.app.com."
1aafe8407e52dc4a 27ea800577d0eae3d389
Gym and fitness trainer.
com.gym.trainer.
30ee6f4ea71958c2b8d3c98a734
Gym and fitness trainer.
com.gym.trainer.
B3c408eafe 73cad0bb is a code for a number of things.
A spokesman for the company pointed to a post from April detailing the company's methods for detecting malicious apps submitted to Play.
Over the past decade, malicious apps have been a problem. As was the case this time, the company is quick to remove the fraudulent apps once it has been notified of them, but the company has been unable to find thousands of apps that have been in the bazaar andinfecting thousands or even millions of users.
It is not always easy to spot a scam. It's not always helpful to read user comments since crooks often seed their submissions with fake reviews. Steering clear of obscure apps with small user bases can help, but that tactic would have been useless in this case. Users should think before they download apps from third-party markets.
It's best to be very sparing in installing malicious apps. It is a good idea to uninstall an app if you haven't used it in a while.
