We have seen in the past how malware manages to infiltrate Google Play to a greater or lesser extent, both with Joker and other apps designed to steal bank credentials. Threat Fabric security researchers have revealed techniques used by malware-laden applications to infiltrate Google Play.
With some 300,000 downloads combined, analysts discovered a malware campaign by three different families, aimed at stealing the credentials of specific banks, including several Spanish banks. The main method is the one we were able to test ourselves recently: download an update after installing the app, where the malicious code is located.
All is well on the surface
Google’s attempts to combat malware focus on two fronts: automated app analysis and limiting certain problematic permissions, such as accessibility. Cybercriminals have found a perfect way to overcome both: download seemingly harmless apps from Google Play.
The disappointment is such that the applications are more than just a facade. These are functional applications and include information, screenshots, and reviews that make you believe this is a legitimate app. While many of these reviews may be fake, the malware update does not download automatically, so some may be real. After all, apps keep their promises. In some cases, they even have a web page with information, to give them more truthfulness.
An exercise app with malware even had a fake website
At this point, the application is “clean” and a VirusTotal scan of your APK wouldn’t detect anything unusual about it. Neither the scans performed by Google during the review period nor by Play Protect after installation on the device would find anything suspicious.
The applications are functional and clean in principle, but later they ask to download and install an update containing the malicious code
Malware will come later and selectively, and its creators can deploy a malicious update to certain users and / or in certain regions. Installation requires the user to grant the app permission to install apps from an APK file, which is marked as necessary with various excuses. For example, an exercise app indicates that it is necessary to download new routines.
Do you want a new exercise routine? Then install this update
Variants of this technique have been detected by security analysts in dozens of applications with three malware families: Anatsa, Alien and Hydra / Ermac. Everyone’s goal was the same: trying to steal bank credentials. Not raw banking applications, but specific ones, including several Spanish entities. In the appendix to the report, you will find the list of banking applications whose credentials have been stolen: there are several Spanish banking applications.
The malware is designed to steal the credentials of specific banking applications, including those of several Spanish banks
This update already has the spy tools, led by the abuse of accessibility permissions, which will keep asking after installation. Google controls which apps abuse these permissions on Google Play, but what is installed from outside the store has no control.
According to researchers’ estimates, the apps were downloaded around 300,000 downloads, although with such difficult detection, it is foreseeable that there will be more and more infiltrations in Google Play. The best way to stay safe is never accept suspicious downloads and updates that require permission to install apps.
Via | Ars Technica
