Malware

4 Android banking trojans were spread via Google Play infecting 300.000+ devices

Experts found four Android banking trojans that were available on the official Google Play Store and that infected +300,000 devices.

Researchers from ThreatFabric discovered four distinct Android banking trojans that were spread via the official Google Play Store between August and November 2021. According to the experts, the malware infected more than 300,000 devices through multiple dropper apps.

Threat actors are refining their techniques to bypass security checks implemented by Google for the app in its Play Store. A trick to bypass the checks consists of introducing carefully planned small malicious code updates over a longer period in Google Play. Another technique used by the threat actors involves designing look-alike command-and-control (C2) websites that match the theme of the dropper app so as to slip past conventional detection methods.

“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization.” reads the analysis published by the experts. “VirusTotal does not showcase the evolution of detections of antivirus products over time, but almost all campaigns have or had a 0/62 FUD score on VirusTotal at some point in time, confirming the difficulty of detecting dropper apps with a minimal footprint.”

The droppers were designed to distribute the Android banking trojan Anatsa, Alien, ERMAC, and Hydra.

Below is the list of dropper apps used to distribute the above banking trojan:

  • Two Factor Authenticator (com.flowdivison)
  • Protection Guard (com.protectionguard.app)
  • QR CreatorScanner (com.ready.qrscanner.mix)
  • Master Scanner Live (com.multifuction.combine.qr)
  • QR Scanner 2021 (com.qr.code.generate)
  • QR Scanner (com.qr.barqr.scangen)
  • PDF Document (com.xaviermuches.docscannerpro2)
  • Scanner – Scan to PDF
  • PDF Document Scanner (com.docscanverifier.mobile)
  • PDF Document Scanner Free (com.doscanner.mobile)
  • CryptoTracker (cryptolistapp.app.com.cryptotracker)
  • Gym and Fitness Trainer (com.gym.trainer.jeux)

ThreatFabric researchers spotted multiple samples dropped by the Brunhilda threat actor, the same group that was spotted distributing the Vultur Trojan in July 2021. In one case, the researchers observed Brunhilda posing as a QR code creator app used to drop Hydra and Ermac malware on the devices of users in were previously untapped countries, like the United States.

“In the span of only 4 months, 4 large Android families were spread via Google Play, resulting in 300.000+ infections via multiple dropper apps.” concludes the report. “A noticeable trend in the new dropper campaigns is that actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques.

The small malicious footprint is a result of the new Google Play restrictions (current and planned) to put limitations on the use of privacy concerning app permissions.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, banking Trojan)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

7 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

18 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

22 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

2 days ago

This website uses cookies.