TagsAndroid, Cryptocurrency, Google, Malware, Play Store, security, TROJAN
Super secure VPN
Minimal data logging
Android smartphone users must beware of password-stealing Android banking trojan malware hidden in apps on Google Play Store, warns ThreatFabric’s cybersecurity researchers in their report titled “Deceive the Heavens to Cross the sea.”
According to the company’s analysis, the malware campaign impacted 300,000+ users and utilized malicious ad campaigns and phishing emails to lure victims into downloading the malicious apps.
ThreatFabric researchers revealed that these trojans are disguised as cryptocurrency apps, QR code readers, PDF scanners, fitness monitors, etc. When researchers analyzed these apps, it was identified that the apps contained four different kinds of malware, the most dangerous being the Anatsa malware [Video].
It is worth noting that Anatsa is capable of stealing user credentials, passwords, and email addresses. Anatsa malware uses accessibility logging to record everything that appears on the user’s screen, and attackers use a keylogger to record all information a user entered into the device.
Another notorious malware Threatfabric researchers discovered was a banking trojan dubbed Alien. This malware can bypass the 2FA authentication mechanism. Additionally, Hydra and Ermac [Video] were the other malware families identified by ThreatFabric. And, researchers noted that one of the many droppers used to download/install malicious payloads was Gymdrop.
Researchers maintain that the campaign involves delivering a benign app, and once it gets installed, the malware operators send users messages to download updates and install additional app features. All the infected apps require updates to be downloaded from third-party sources.
However, since the user trusts the app, no suspicion arises. In fact, on VirusTotal, a majority of these apps had zero detections by malware checkers initially.
Furthermore, the apps use other mechanisms to infect the devices, such as operators manually installing malicious updates after identifying the geographic location of the infected Android device or incrementally updating the smartphone.
Reportedly, the malicious apps are equipped with advertising features to evade detection or suspicion about their real intention. All four malware can easily bypass Play Store’s detection mechanisms (Play Protect) and mainly target Android devices.
Moreover, the concerning aspect is that the apps collectively boast over 300,000 downloads by Android users. Researchers found that more than 200,000 Android users have installed the apps laced with Anatsa. 50,000 users downloaded a QR code scanning app, and its download page on Google Play Store showed overwhelmingly positive reviews. Alien malware apps boasted 95,000 downloads.
“Actors behind it took care of making their apps look legitimate and useful. There are large numbers of positive reviews for the apps. The number of installations and the presence of reviews may convince Android users to install the app. Moreover, these apps indeed possess the claimed functionality, after installation, they do operate normally and further convince victims in their legitimacy,” researchers added.
If you are an Android user avoid downloading unnecessary apps from Google Play Store or third-party marketplaces. Additionally, use reliable anti-malware software, scan your device regularly and keep the device’s operating system updated.
Did you enjoy reading this article? Like our page onFacebookand follow us on Twitter.
I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism
Get the best stories straight into your inbox!
Don’t worry, we don’t spam
App Store Google News
HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.
Hackread.com is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. The registered address is 85 Great Portland Street, London, England, W1W 7LT
The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of Hackread.com. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.