ThreatFabric researchers has discovered a malware campaign that distribute android trojans that spread via the official Google Play Store. They have found four distinct Android banking trojans that was distribute between August and November 2021 which has infected more than 300,000 devices through multiple dropper apps.

How this work is that when the compromised device owner logs in to an online banking or cryptocurrency the credentials are stolen. What happen is a fake bank login form overlays displayed on top of the legitimate apps’ login screens and steal the credentials. These credentials will then be sent to the threat actors’ server where they will sell or steal money from victims account.

“This policing by Google has forced actors to find ways to significantly reduce the footprint of dropper apps. Besides improved malware code efforts, Google Play distribution campaigns are also more refined than previous campaigns. For example, by introducing carefully planned small malicious code updates over a longer period in Google Play, as well as sporting a dropper C2 backend to fully match the theme of the dropper app (for example a working Fitness website for a workout focused app).” Said researchers from ThreatFabric

This changes in google policies have forced the threat actors to evaluate into realistic looking apps such as PDF scanners, fitness and QR scans. The threat actors also had created websites to get reviews by google. However, these apps were only see distributed on specific regions.

“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization.” Said the researchers

The banking trojan named ‘Alien’, ‘Hydra’, ‘Ermac’, and and ‘Anatsa’ were distributed through the following dropper apps below,

• Two Factor Authenticator (com.flowdivison)
• Protection Guard (com.protectionguard.app)
• QR CreatorScanner (com.ready.qrscanner.mix)
• Master Scanner Live (com.multifuction.combine.qr)
• QR Scanner 2021 (com.qr.code.generate)
• QR Scanner (com.qr.barqr.scangen)
• PDF Document Scanner – Scan to PDF (com.xaviermuches.docscannerpro2)
• PDF Document Scanner Free (com.doscanner.mobile)
• CryptoTracker (cryptolistapp.app.com.cryptotracker)
• Gym and Fitness Trainer (com.gym.trainer.jeux)

“In the span of only 4 months, 4 large Android families were spread via Google Play, resulting in 300.000+ infections via multiple dropper apps. A noticeable trend in the new dropper campaigns is that actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques.”

“The small malicious footprint is a result of the new Google Play restrictions (current and planned) to put limitations on the use of privacy concerning app permissions. Permissions such as Accessibility Service, which in previous campaigns was one of the core tactics abused to automate the installation process of Android banking trojans via dropper apps in Google Play.” Concludes the report

All the malicious apps are removed by google and users are advice to remove them if it’s been installed to their android device.

Reference

• Report by ThreatFabric