Researchers from ThreatFabric discovered four distinct Android banking trojans that were spread via the official Google Play Store between August and November 2021. According to the experts, the malware infected more than 300,000 devices through multiple dropper apps.
Threat actors are refining their techniques to bypass security checks implemented by Google for the app in its Play Store. A trick to bypass the checks consists of introducing carefully planned small malicious code updates over a longer period in Google Play. Another technique used by the threat actors involves designing look-alike command-and-control (C2) websites that match the theme of the dropper app so as to slip past conventional detection methods.
“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization.” reads the analysis published by the experts. “VirusTotal does not showcase the evolution of detections of antivirus products over time, but almost all campaigns have or had a 0/62 FUD score on VirusTotal at some point in time, confirming the difficulty of detecting dropper apps with a minimal footprint.”
The droppers were designed to distribute the Android banking trojan Anatsa, Alien, ERMAC, and Hydra.
Below is the list of dropper apps used to distribute the above banking trojan:
ThreatFabric researchers spotted multiple samples dropped by the Brunhilda threat actor, the same group that was spotted distributing the Vultur Trojan in July 2021. In one case, the researchers observed Brunhilda posing as a QR code creator app used to drop Hydra and Ermac malware on the devices of users in were previously untapped countries, like the United States.
“In the span of only 4 months, 4 large Android families were spread via Google Play, resulting in 300.000+ infections via multiple dropper apps.” concludes the report. “A noticeable trend in the new dropper campaigns is that actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques.
The small malicious footprint is a result of the new Google Play restrictions (current and planned) to put limitations on the use of privacy concerning app permissions.”
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, banking Trojan)
[adrotate banner=”5″]
[adrotate banner=”13″]
Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…
Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…
The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…
This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…
The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…
This website uses cookies.