Last Updated on 30/11/2021 by Sunaina
ThreatFabric researchers detected four separate Android banking trojans that propagated through the official Google Play Store between August and November 2021. Experts estimate that the virus infected over 300,000 devices via numerous dropper programmes.
Threat actors are honing their ways to circumvent Google’s security checks for the app on the Play Store. To get around the tests, introduce carefully planned minor harmful code updates over a longer period of time on Google Play. Another tactic employed by threat actors is to create look-alike command-and-control (C2) websites that resemble the theme of the dropper software in order to avoid detection by traditional approaches.
“To avoid detection, the actors behind these dropper programmes only manually initiate the installation of the banking trojan on an infected device if they want additional victims in a certain region of the world.” This makes automatic detection a considerably more difficult method for any firm to implement.” reads the professional analysis provided on the internet “While VirusTotal does not display the progression of antivirus product detections over time, practically all campaigns have or have had a 0/62 FUD score on VirusTotal at some point in time, proving the difficulties of identifying dropper programmes with a low footprint.”
The Android banking trojans Anatsa, Alien, ERMAC, and Hydra were designed to be distributed using the droppers.
The following are the dropper programmes that were used to propagate the aforementioned banking trojan:
- Two Factor Authenticator (com.flowdivison)
- Protection Guard (com.protectionguard.app)
- QR CreatorScanner (com.ready.qrscanner.mix)
- Master Scanner Live (com.multifuction.combine.qr)
- QR Scanner 2021 (com.qr.code.generate)
- QR Scanner (com.qr.barqr.scangen)
- PDF Document (com.xaviermuches.docscannerpro2)
- Scanner – Scan to PDF
- PDF Document Scanner (com.docscanverifier.mobile)
- PDF Document Scanner Free (com.doscanner.mobile)
- CryptoTracker (cryptolistapp.app.com.cryptotracker)
- Gym and Fitness Trainer (com.gym.trainer.jeux)
Researchers at ThreatFabric discovered additional samples dropped by the Brunhilda threat actor, the same organisation that was discovered distributing the Vultur Trojan in July 2021. In one example, the researchers discovered Brunhilda masquerading as a QR code generator