Despite tight app restrictions from the tech giant, hackers have managed to gain more than 300,000 banking trojan installations on Google Play in just 4 months.
Researchers from Threat Fabric have been closely studying the installations and noted several different threat actors have honed their ability to use Google Play to propagate banking trojans by shrinking the footprint of their dropper apps, eliminating the number of permissions they ask for, boosting the overall quality of the attack with better code and standing up convincing companion websites.
Generally, droppers are apps that act as the initial stage of infection. The task of a Dropper is to fetch final payloads for deployment onto the device – in this case, banking trojans. The report pointed out some savvy droppers used to deploy banking trojans. In one such case, researchers found a dropper app disguised as a fitness service with an actual functioning back-end site to match.
“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world,” the Threat Fabric researchers added. “This makes automated detection a much harder strategy to adopt by any organization.”
All 300,000 banking-trojan dropper installations came from four malware families, according to the report: Anatsa (200,000+ installs); Alien (95,000+) and Hydra/Ermac (15,000+).
Anasta hackers were first observed using Google Play to deploy malware as far back as January 2021. The Anasta banking trojan is one of the most fully featured. The malware can perform credential theft, keylogging and even capture what’s shown on a user’s screen.
The analysts found six separate droppers in Google Play that lead to Anasta infections, including scam QR code scammers, PDF scanners and cryptocurrency apps, collectively reaching more than 100,000 installations, they reported.
Once the dropper app is isntalled, the user is prompted to update. Doing this will deploy the Anatsa banking trojan.
“Actors behind it took care in making their apps look legitimate and useful,” the analysts said. “There are large numbers of positive reviews for the apps. The number of installations and the presence of reviews may convince Android users to install the app. Moreover, these apps indeed possess the claimed functionality, after installation, they do operate normally and further convince victims of their legitimacy.”
Threat group Brunhilda was observed using a fake QR-code app to distribute both Hydra and Ermac malware families, the report added.
And, a dropper app called “GymDrop” used “exercise update” messages to trick victims into downloading the Alien banking trojan.
“The Alien samples of this campaign connect to the same C2 as samples from previously described campaign powered by Brunhilda dropper,” the report said.
As these groups evolve, they’ve been able to develop an effective workaround automated and machine learning detection, the report explained.
As Google Play continues to be reactive in its approach to weeding out these malicious actors, there’s a limit to the amount of protection that can be provided to users, John Bambenek, principal threat hunter at Netenrich told Threatpost.
“There is only so much protection you can have when app stores are inherently reactive in detecting abusive apps,” Bambenek said. “The same benefit application developers have in choosing the Android ecosystem are the same benefits criminals are going to use.”
Protection Against Banking Trojans
There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.