According to recent reports from ThreatFabric, over 300,000 Android smartphones have been infected with banking trojans through imposter apps. ThreatFabric explains that four different forms of malware are mostly responsible and hidden within commonly used applications. These kinds of malicious apps come with basic functions to avoid suspicion, but once downloaded the app begins injecting malware from an external source, bypassing the Google Play store's security checks.
Four Forms of Malware
Through their research, cybersecurity experts at ThreatFabric found many droppers designed to distribute banking trojans. “Anatsa” is one of these trojans, it is also among the more prolific trojans where over 200,000 Android devices have been infected by it alone. ThreatFabric discovered Anatsa in January, describing it as an advanced banking trojan that can compromise both usernames and passwords. Anatsa comes with RAT and semi-ATS capabilities and uses accessibility logging to capture everything displayed on a user’s smartphone, while a keylogger tracks all information manually entered. Researchers found six different malicious apps designed to deliver Anatsa, these apps are often disguised as PDF scanners, QR code scanners and cryptocurrency apps.
The second is called “Alien”, which has similar Anatsa-like capabilities, such as stealing two-factor authentication information. The banking trojan has been around for about a year now and over 95,000 android devices have been infected. One of the malicious apps is a fitness and gym training application that comes paired with an authentic-looking website. Like Anasta, the initial installation does not deliver malware, however after some time users are prompted to update the application which then distributes the malware payload.
Hydra and Ermac
The final two forms of malware are Hydra and Ermac. More than 15,000 android users have downloaded apps infected with these two. According to ThreatFabric, Hydra and Ermac are connected to a cyber-criminal gang Brunhilda. Both trojans allow attackers to access the device and steal banking details.
ThreatFabric discovered these four malware families in a span of just a few months, all distributed via the Google Play store. The four trojans have a combined 300,000 infections via several dropper applications. The cybersecurity experts at ThreatFabric also noticed a trend in the dropper campaigns where threat actors are focusing on loaders with an overall “small” footprint on the Play Store. This method increased the difficulty in detecting them with machine learning and automation techniques.
A big reason behind the success of these malware campaigns can be contributed to the deployment process which ensures the malicious payload is delivered to a victim’s Android phone and not on testing environments. To work through this, cybercriminals use different techniques ranging from incremental malicious updates, location checks, server-side emulation checks and passing by time-based de-obfuscation.
For more news and updates, visit https://blog.excellimatrix.com/
You can also reach out to us on Facebook, & LinkedIn or Contact us directly