Last Updated on 09/12/2021 by Nidhi Khandelwal
Malware peddlers have used malware droppers introduced in Google Play to propagate four kinds of Android banking trojans since August 2021. They did so by using a number of tactics to get around the app store’s limits, avoid automatic detection, and convince users that the apps they downloaded were safe and legal.
The malware droppers posed as PDF scanners, QR code scanners, cryptocurrency apps, self-training, authenticator, and security apps, according to researchers from fraud prevention firm ThreatFabric, and were collectively downloaded over 310,000 times.
The silver lining in this circumstance is that not all people who downloaded them were eventually infected with banking trojans: the malware was only delivered manually and only to users in specified regions of interest.
Anatsa, Alien, Hydra, and Ermac are the names of the different banking trojan families distributed through these operations. Each of them is designed to attack a wide range of banking, cryptocurrency, mobile payment, and email apps.
The campaigns usually go something like this:
1. Malware peddlers smuggle droppers into Google Play under the guise of useful apps that genuinely work.
2. These apps send device information to a command and control server once they’ve been installed and run for the first time.
3. Some users may be asked to update the app in order to continue using it 4. If they agree and ignore warnings that downloading content from a source other than Google Play is risky, the banking trojan is installed on the device and asks for a broader set of permissions, which will allow it to steal credentials by capturing everything displayed on the user’s screen and logging keystrokes.
The criminals behind these operations have devised a number of techniques to prevent the droppers from being detected/blocked by Google Play and antivirus software, as well as the malicious payloads from falling into the hands of security researchers.