4 Android banking trojans were spread via Google Play infecting 300.000+ devices

Experts found four Android banking trojans that were available on the official Google Play Store and that infected +300,000 devices.

Researchers from ThreatFabric discovered four distinct Android banking trojans that were spread via the official Google Play Store between August and November 2021. According to the experts, the malware infected more than 300,000 devices through multiple dropper apps.

Threat actors are refining their techniques to bypass security checks implemented by Google for the app in its Play Store. A trick to bypass the checks consists of introducing carefully planned small malicious code updates over a longer period in Google Play. Another technique used by the threat actors involves designing look-alike command-and-control (C2) websites that match the theme of the dropper app so as to slip past conventional detection methods.

“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization.” reads the analysis published by the experts. “VirusTotal does not showcase the evolution of detections of antivirus products over time, but almost all campaigns have or had a 0/62 FUD score on VirusTotal at some point in time, confirming the difficulty of detecting dropper apps with a minimal footprint.”

The droppers were designed to distribute the Android banking trojan Anatsa, Alien, ERMAC, and Hydra.

Below is the list of dropper apps used to distribute the above banking trojan:

• Two Factor Authenticator (com.flowdivison)
• Protection Guard (com.protectionguard.app)
• QR CreatorScanner (com.ready.qrscanner.mix)
• Master Scanner Live (com.multifuction.combine.qr)
• QR Scanner 2021 (com.qr.code.generate)
• QR Scanner (com.qr.barqr.scangen)
• PDF Document (com.xaviermuches.docscannerpro2)
• Scanner – Scan to PDF
• PDF Document Scanner (com.docscanverifier.mobile)
• PDF Document Scanner Free (com.doscanner.mobile)
• CryptoTracker (cryptolistapp.app.com.cryptotracker)
• Gym and Fitness Trainer (com.gym.trainer.jeux)

ThreatFabric researchers spotted multiple samples dropped by the Brunhilda threat actor, the same group that was spotted distributing the Vultur Trojan in July 2021. In one case, the researchers observed Brunhilda posing as a QR code creator app used to drop Hydra and Ermac malware on the devices of users in were previously untapped countries, like the United States.

“In the span of only 4 months, 4 large Android families were spread via Google Play, resulting in 300.000+ infections via multiple dropper apps.” concludes the report. “A noticeable trend in the new dropper campaigns is that actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques.

The small malicious footprint is a result of the new Google Play restrictions (current and planned) to put limitations on the use of privacy concerning app permissions.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, banking Trojan)

[adrotate banner=”5″]

[adrotate banner=”13″]