IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Over 300,000 Android users downloaded banking trojan malware

Hackers defeated Google Play restrictions by using smaller droppers in apps and eliminating permissions needed

Hackers have managed to bypass Google Play app restrictions to chalk up over 300,000 banking trojan infections in just four months.

According to a blog post by security researchers at Threat Fabric, hackers have avoided being detected by Google Play by using smaller droppers in apps, reducing the number of permissions being asked of users and improving code as well as creating more convincing fake websites.

This has also made them difficult to detect from an automation (sandbox) and machine learning perspective, according to Threat Fabric.

“This small footprint is a (direct) consequence of the permission restrictions enforced by Google Play,” they said.

Hackers have also started carefully planned small malicious code updates over a longer period in Google Play, as well as sporting a dropper C2 backend to fully match the theme of the dropper app. The researchers cited an example here of a working fitness website for a workout-focused app.

“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization,” they said.

The 300,000 dropper installations came from just four types of malware. Anatsa (200,000+ installations); Alien (95,000+ installations) and Hydra/Ermac (15,000+ installations).

Related Resource

The state of brand protection 2021

A new front opens up in the war for brand safety

A log-in screen with a red background - whitepaper from MimecastFree download

The largest, Anatsa, is an advanced Android banking trojan with RAT and semi-ATS capabilities. It carries out classic overlay attacks to steal credentials, accessibility logging (capturing everything shown on the user’s screen), and keylogging.

Researchers discovered the first dropper in June 2021 masquerading as an app for scanning documents. In total, researchers found six Anatsa droppers published in Google Play since June 2021.

A hacking group called Brunhilda dropped malware from established families, like Hydra, as well as novel ones, like Ermac. This posed as a QR code creator app. Both families have been very active in the last months according to researchers and have recently started appearing in the US.

The Alien campaign was also run by the Brunhilda group. This used a fake fitness app to spread.

“This dropper, that we dubbed “Gymdrop”, is another example of how cybercriminals try to convince victims and detection systems that their app is legitimate. The app website is designed to look legitimate at first glance. However, it is only a template for a gym website with no useful information on it, even still containing ‘Lorem Ipsum’ placeholder text in its pages,” said researchers.

Researchers said the attention dedicated by these hackers to evading unwanted attention renders automated malware detection less reliable.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022