ThreatFabric security researchers have recently identified four different Android banking trojans. All these trojans were spread through the official Google Play Store. The threat actors have racked up more than 300,000 banking trojan installations in just four months.
The malicious code that the threat actors have used was hidden inside the functional apps that served as:-
- QR code scanners
- PDF scanners
- Security tools
- Fitness apps
- Two-factor authenticators
After finding the trojans, the security experts initiated an investigation, and during that, they have noted various droppers that are placed in Google Play, created to share specifically the banking trojan Anasta.
Anatsa is one of the advanced Android banking trojans that have stealthy abilities like:-
Not only this, but Anasta play some standard overlay attacks with the motive to hijack all the credentials, accessibility logging as well as the keylogging
Loaders are the best medium to dispose malware on Play Store
The loaders are specifically designed to enable malware to circumvent checks that are applied by the security software.
However, loaders are generally used to attach to the remote servers of the threat actors and later download and manage a more effective payload.
Hydra, Ermac, and Alien Installs
The threat group Brunhilda was probed using a fake QR-code app to administer both Hydra as well as Ermac malware families. But, it has been noted that a dropper app named “GymDrop” used “exercise update” messages to deceive the victims into downloading the Alien banking trojan.
Once the Alien samples get downloaded, later the threat actors connect to the same C2 as samples of the Brunhilda dropper campaign to implicate the whole attack.
Loaders Evade Play Store Security Checks
The analysts did not notice this campaign earlier, as this campaign does not slow down the operators of Loader-as-a-Service systems. However, the threat actors have targeted the Google Play store’s latest changes by offering clean apps to Google’s Bouncer checks.
Moreover, many threat actors have produced fake websites for their apps, where they hosted the loader’s command and control server; doing this, many victims will think of it as a legitimate component that is coming from an official website.
However, users should be attentive while checking the links as these small malicious footprints give the result to many Google Play restrictions. This type of campaign puts a lot of restraints on the use of privacy related to app permissions.