IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Over 300,000 Android users downloaded banking trojan malware

Hackers defeated Google Play restrictions by using smaller droppers in apps and eliminating permissions needed

Hackers have managed to bypass Google Play app restrictions to chalk up over 300,000 banking trojan infections in just four months.

According to a blog post by security researchers at Threat Fabric, hackers have avoided being detected by Google Play by using smaller droppers in apps, reducing the number of permissions being asked of users and improving code as well as creating more convincing fake websites.

This has also made them difficult to detect from an automation (sandbox) and machine learning perspective, according to Threat Fabric.

“This small footprint is a (direct) consequence of the permission restrictions enforced by Google Play,” they said.

Hackers have also started carefully planned small malicious code updates over a longer period in Google Play, as well as sporting a dropper C2 backend to fully match the theme of the dropper app. The researchers cited an example here of a working fitness website for a workout-focused app.

“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization,” they said.

The 300,000 dropper installations came from just four types of malware. Anatsa (200,000+ installations); Alien (95,000+ installations) and Hydra/Ermac (15,000+ installations).

Related Resource

The state of brand protection 2021

A new front opens up in the war for brand safety

A log-in screen with a red background - whitepaper from MimecastFree download

The largest, Anatsa, is an advanced Android banking trojan with RAT and semi-ATS capabilities. It carries out classic overlay attacks to steal credentials, accessibility logging (capturing everything shown on the user’s screen), and keylogging.

Researchers discovered the first dropper in June 2021 masquerading as an app for scanning documents. In total, researchers found six Anatsa droppers published in Google Play since June 2021.

A hacking group called Brunhilda dropped malware from established families, like Hydra, as well as novel ones, like Ermac. This posed as a QR code creator app. Both families have been very active in the last months according to researchers and have recently started appearing in the US.

The Alien campaign was also run by the Brunhilda group. This used a fake fitness app to spread.

“This dropper, that we dubbed “Gymdrop”, is another example of how cybercriminals try to convince victims and detection systems that their app is legitimate. The app website is designed to look legitimate at first glance. However, it is only a template for a gym website with no useful information on it, even still containing ‘Lorem Ipsum’ placeholder text in its pages,” said researchers.

Researchers said the attention dedicated by these hackers to evading unwanted attention renders automated malware detection less reliable.

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download

Most Popular

HMRC lost nearly 50% more devices in 2022
Hardware

HMRC lost nearly 50% more devices in 2022

17 Mar 2023
The big PSTN switch off: What’s happening between now and 2025?
Sponsored

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Outlook zero day patch causes headaches for Windows admins
Security

Outlook zero day patch causes headaches for Windows admins

15 Mar 2023