The researchers said they were discovered a range of apps that had been downloaded from Google Play more than 300,000 times before they were revealed to be stealthy banking trojans that obtained user passwords and two-factor authentication codes, recorded press the key and take a screenshot.
Apps — masquerading as QR scanners, PDF scanners and electronic money wallet — belongs to four separate families of Android malware that have been distributed for four months. They used some tricks to get around the restrictions Google devised in an attempt to curb the incessant distribution of fraudulent apps on its official marketplace. Such restrictions include restricting the use of accessibility services to users with visual impairments to prevent automatic installation of applications without the user’s consent.
Small footprints
“What makes these Google Play distribution campaigns so hard to detect from an automation (sandbox) and machine learning perspective is that all the app drips have a very small malicious footprint,” the researchers said. Research from mobile security company ThreatFnai writes in a post. “This small footprint is a (direct) consequence of permission restrictions enforced by Google Play.”
Instead, campaigns often initially deliver a benign app. Once the app is installed, users receive a notification instructing them to download updates that have installed additional features. Apps often asked to download updates from third-party sources, but then many users trusted them. Most of the applications are not initially detected by malware test available on VirusTotal.
Applications also fly under the radar using other mechanisms. In many cases, malware operators only install malicious updates manually after checking the geographic location of infected phones or by incrementally updating phones.
“This incredible attention dedicated to evading unwanted attention makes automated malware detection less reliable,” the ThreatFnai post explains. “This consideration is confirmed by a very low overall VirusTotal score out of the 9 droppers we investigated in this blog post.”
The family of malware responsible for the largest number of infections is called Anatsa. This “fairly advanced Android banking trojan” offers various capabilities, including remote access and automatic transfer system, which automatically empties victims’ accounts and sends content to accounts belonging to malware operators.
The researchers wrote:
The Anatsa infection process looks like this: when initiating an installation from Google Play, the user is forced to update the app in order to continue using the app. In this moment, [the] The Anatsa payload is downloaded from the C2 server(s) and installed on the unsuspecting victim’s device.
The people behind it took care to make their app look legit and useful. There are a large number of positive reviews for the app. The number of installs and the presence of reviews can convince Android users to install the app. Furthermore, these apps actually possess the requested functionality; after installation they work properly and convincingly [the] victim [of] their legitimacy.
Despite the sheer number of installs, not every device with these droppers installed will receive Anatsa, as the actors have gone out of their way to target only the areas of their interest.
The other three families of malware found by the researchers include Alien, Hydra, and Ermac. One of the drip tools used to download and install malicious payloads is called Gymdrop. It used pattern-based filtering rules of the infected device to prevent targeting of researchers’ devices.
New exercises
“If all conditions are met, the payload will be downloaded and installed,” the post states. “This dropper also does not require Accessibility Services privileges; it only asks for permission to install packages, with the promise of installing new workouts — to entice users to grant this permission. Once installed, the payload will be launched. Our threat intelligence indicates that currently, this dropper is used for distribution [the] Alien banking Trojan. ”
When asked for comment, a Google spokesperson pointed to this lesson from April detail the company’s methods for detecting malicious apps submitted to Play.
