A number of apps on Google Play contain banking trojans that secretly retrieve user credential information.
According to researchers from the security company ThreadFabric, among the applications that contain the banking trojan, there are those that have been downloaded more than 300 thousand times.
Researchers say, banking credential information that is aspirated by this malicious application starts from user passwords and two-factor authentication codes. This banking malware can also record what buttons the user has pressed and take screenshots.
Quoted from Arstechnica, Friday (12/3/2021), this malicious application disguises itself as an application that functions to scan QR, scan PDF, to crypto wallets. This banking trojan comes from four separate Android malware families distributed over the past four months.
The malware in question, uses a number of tricks to circumvent restrictions that Google has put in place in an attempt to control the endless distribution of apps on the official market.
One of Google’s restrictions includes restrictions on the use of accessibility services for users with visual impairments. Its purpose is to prevent automatic installation without user consent.
Researchers from ThreadFabric reveal the reason why Google Play distribution campaigns are difficult to detect from an automation and machine learning perspective is because all dropper apps have a very small malicious footprint.
“The small footprint is a direct consequence of the permission restrictions imposed by Google Play,” the ThreadFabric researcher said in his post.
Researchers also explain how this malicious application works. When the app is installed, users receive a message instructing them to download an update that installs additional features.
Apps also often ask to be updated which are downloaded from third-party sources. Unfortunately, many users trust this information.
Most of the applications that have been infiltrated by this banking trojan malware were not initially detected by the malware checker available on VirusTotal.
Apps can also hide themselves from malware checkers by other mechanisms. In many cases, malware carriers manually install malicious updates after checking the geographic location of already infected devices or by incremental app updates.
“This extraordinary care dedicated to avoiding unwanted attention makes automated malware detection less reliable,” wrote ThreadFabric.
For your information, the malware family responsible for this major Android infection is known as Anatsa.
The need for digital IT is needed in daily activities, Bead IT Consultant is the right choice as your partner, visit our website by clicking this link: www.beadgroup.com