Android malware infected more than 300,000 devices with banking trojans

2 years ago 383

The archetypal apps successful Google Play were safe, but the creators recovered a mode astir the Play Store's protections to instal malware connected Android users' devices. Here's however it happened and however to enactment safe.

Female manus  utilizing mobile astute  telephone  with icon graphic cyber information    web  of connected devices and idiosyncratic   privateness  information  information

Image: marchmeena29, Getty Images/iStockphoto

A November study from ThreatFabric revealed that more than 300,000 Android users unknowingly downloaded malware with banking trojan capabilities, and that it bypassed the Google Play Store restrictions.

The cybercriminals developed a method for successfully infecting Android users with antithetic banking trojans, which are designed to summation entree to idiosyncratic relationship credentials. The archetypal measurement was to taxable apps to the Google Play Store that had astir nary malicious footprint and that really looked similar functional, utile applications, specified arsenic QR Code scanners, PDF scanners, cryptocurrency-related apps oregon fitness-related apps.

Once launched, these apps asked the idiosyncratic to bash an update, which was downloaded extracurricular of the Google Play Store (sideloading technique) and installed the malicious contented connected the Android device.

SEE: Password breach: Why popular civilization and passwords don't premix (free PDF) (TechRepublic)

So, portion the archetypal exertion did not incorporate thing malicious, it provided a mode to instal the malicious contented aft the installation was done, making it afloat invisible to the Google Play Store.

The attackers were cautious capable to taxable an archetypal mentation of their applications, which did not incorporate immoderate download oregon instal functionality, and aboriginal updated the applications connected the Google Play Store with much permissions, allowing the download and installation of the malware. They person besides acceptable restrictions by utilizing mechanisms to guarantee the payload was lone installed connected existent victims' devices and not investigating environments, making it adjacent harder to detect.

ThreatFabric discovered 4 antithetic banking Trojan families: Anatsa, Alien, Hydra and Ermac, with Anatsa being the astir widespread.

The information of the Google Play Store

Google Play is the large repository for Android applications, and immoderate developer tin taxable his oregon her ain exertion to the Play Store. The submitted exertion volition past spell done an app reappraisal process to guarantee that it is not malicious and does not interruption immoderate of the developer policies.

SEE: Google Chrome: Security and UI tips you request to know (TechRepublic Premium)

These policies mostly impact ensuring that the contented of the app is appropriate, that it does not impersonate oregon transcript different apps oregon people, that it complies with monetization policies, and provides minimum functionality (it should not clang each the time, and it should respect the idiosyncratic experience). 

On the information side, apps submitted should of people not beryllium malicious: It should not enactment a idiosyncratic oregon their information astatine risk, compromise the integrity of the device, summation power implicit the device, alteration remote-controlled operations for an attacker to access, usage oregon exploit a device, transmit immoderate idiosyncratic information without capable disclosure and consent, oregon nonstop spam oregon commands to different devices oregon servers.

Google's process to analyse submitted applications besides includes support verifications. Some permissions oregon APIs, considered sensitive, request the developer to record peculiar authorization requests and person it reviewed by Google to guarantee the exertion does truly request those.

Malware and PUA connected the Google Play Store

While being precise alert and actively deploying changeless caller methods to tackle malware, the Google Play Store tin inactive beryllium bypassed successful uncommon cases. The full reappraisal process applied to exertion submissions for the Google Play Store makes it truly hard for cybercriminals to dispersed malware via the level though it is unluckily inactive possible.

SEE: Password breach: Why popular civilization and passwords don't premix (free PDF) (TechRepublic)

A survey released successful November 2020 by the NortonLifeLock Research Group revealed that among 34 cardinal APKs dispersed connected 12 cardinal Android devices, between 10% and 24% of it could beryllium described arsenic malicious oregon perchance unwanted applications, depending connected antithetic classifications. Of those applications, 67% were installed from the Google Play Store. The researchers notation that "the Play marketplace is the main app organisation vector liable for 87% of each installs and 67% of unwanted installs. However, its is lone 0.6% vector detection ratio, showing that the Play marketplace defenses against unwanted apps work, but inactive important amounts of unwanted apps are capable to bypass them, making it the main organisation vector for unwanted apps. In the end, users are much apt to instal malware by downloading it from web pages via their instrumentality browsers oregon from alternate marketplaces.

How to support your Android instrumentality from malware

With a fewer steps, it is imaginable to importantly trim the hazard of having an Android instrumentality being compromised.

  • Avoid chartless stores. Unknown stores typically person nary malware detection processes, dissimilar the Google Play Store. Don't instal bundle connected your Android instrumentality which comes from untrusted sources.
  • Carefully cheque requested permissions erstwhile installing an app. Applications should lone petition permissions for indispensable APIs. A QR Code scanner should not inquire for support to nonstop SMS, for example. Before installing an exertion from the Google Play Store, scroll down connected the app statement and click connected the App Permissions to cheque what it requests.
  • Immediate petition for update aft installation is suspicious. An exertion that is downloaded from the Play Store is expected to beryllium the latest mentation of it. If the app asks for update support astatine the archetypal run, instantly aft its installation, it is suspicious.
  • Check the discourse of the application. Is the exertion the archetypal 1 from a developer? Has it precise fewer reviews, possibly lone five-star reviews?
  • Use information applications connected your Android device. Comprehensive information applications should beryllium installed connected your instrumentality to support it.

Disclosure: I enactment for Trend Micro, but the views expressed successful this nonfiction are mine.

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also see

Read Entire Article