The malicious apps have all been removed from the official Android store but not before the apps were installed by almost 30,000 users
Malware authors keep testing the vigilance of Android users by sneaking disguised mobile banking Trojans into the Google Play store. We’ve recently analyzed a set of 29 such stealthy Trojans, found in the official Android store from August until early October 2018, masquerading as device boosters and cleaners, battery managers and even horoscope-themed apps.
Unlike the increasingly prevalent malicious apps relying purely on impersonating legitimate financial institutions and displaying bogus login screens, these apps belong to the category of sophisticated mobile banking malware with complex functionality and a heavy focus on stealth.
These remotely controlled Trojans are capable of dynamically targeting any apps found on the victim’s device with tailor-made phishing forms. Aside from this, they can intercept and redirect text messages to bypass SMS-based two-factor-authentication, intercept call logs, and download and install other apps on the compromised device. These malicious apps were uploaded under mostly different developer names and guises, but code similarities and a shared C&C server suggest the apps are the work of a single attacker or group.
The 29 malicious apps have all been removed from the official Android store in the meantime after ESET and fellow researchers notified Google of their malicious nature. Before being pulled from the store, however, the apps were installed by almost 30,000 users in total.
Once launched, the apps either display an error claiming they have been removed due to incompatibility with the victim’s device and then proceed to hide themselves from the victim’s view, or deliver the promised functionality – such as displaying horoscopes.
Regardless of which of the preceding activities one of these apps displays, the main malicious functionality is hidden in an encrypted payload located in each app’s assets. This payload is encoded using base64 and then encrypted with an RC4 cipher using a hardcoded key. The first stage of the malware’s activity is a dropper that initially checks for the presence of an emulator or a sandbox. If these checks fail, it then decrypts and drops a loader, and a payload that contains the actual banking malware. Some of the apps we analyzed contained more than one stage of such encrypted payloads.
The functionality of the final payload is to impersonate banking apps installed on the victim’s device, intercept and send SMS messages, and download and install additional applications of the operator’s choice. The most significant feature is that the malware can dynamically impersonate any app installed on a compromised device. This is achieved by obtaining the HTML code of the apps installed on the device and using that code to overlay legitimate apps with bogus forms once the legitimate apps are launched, giving the victim very little chance to notice something is amiss.
Fortunately, these particular banking Trojans (the full list can be found in the IoCs section) do not employ advanced tricks to ensure their persistence on affected devices. Therefore, if you suspect you have installed any of these apps, you can simply uninstall them under Settings > (General) > Application manager/Apps.
We also advise you to check your bank account for suspicious transactions and consider changing your internet banking password/PIN code.
To avoid falling victim to banking malware, we recommend that you:
Special thanks to Nikolaos Chrysaidos for bringing some of these malicious apps to our attention.
You might also be interested in the following articles:
Fake finance apps on Google Play target users from around the world
Fake banking apps on Google Play leak stolen credit card data
Android users: Beware these popularity-faking tricks on Google Play
Copy-paste on figure 3 description.
Also can you please expand on HTML and overlaying? I’m and Android developer and was following up until then… What does HTML have to do with Android apps? Do banking apps host their security/features in a WebView?
To be able to impersonate hundreds of legitimate appswith their Android banking malware, attackers need to go for a dynamic approach(as opposed to having the app carry all the fake layouts in its assets, whichwould take up a lot of space and could trigger antivirus software). This meansthat the malicious app retrieves HTML code for the targeted legitimate apps anddisplays them to the affected user in WebView. This has nothing to do withwhether banking apps use WebView of not.
Most of the malware files targets stupid people who believe in horoscopes, magic stuff and quackery…Oh well… what to expect …
Oh well a hope you or any of your family never ever stupid enough to mmm leave a window open, or carUn locked ormgod forbid wounder down amdark, alley an fall of a cliff ,,, that be stupid , but hey you would thinkThey asked for it, NO MATTER WHAT YOU BELEVIE YOU SHOULDNT BE ROBBED ,,, BE BY OPEN WINDOW OR MIND INFACTLETS J6MP ON STUPIDS HEAD,, now being stupid is like being dead,, you are unaware you dead and is painless but they who are around you feel pain,,, much the same as being, stupid,,, but really they deserve it worse than the pope in mid evil times hey just burnt them zodiac daftys
Tako je,Do god sam bio naivan,i verovao ljudima Sve mi se to obilo o glavu Tek sad vidim da većina vas .Bila je upravu-Ova tvoja pomoć u vidu saveta .Znači mi puno Ako ti treba nešto javi ,Mogu da pošaljem ili kako god..Pozdrav Aca Obrenovac
I am a cell phone Sales rep and we see these all the time
Sucks if you believe in star signs and horoscopes odd that nearly half the apps are aimed at that.
Joking a side, do you not think goggle should be accountable for allowing apps to be download knowing full well themThat do will be royaly robbed and all details robbed, because it has happend again, then only say 5 month ago, I receivedEmail from a well known online casino, asking if I download there app of Google play store, warning me to REMOVE IT FUCKING INSTANTLY THEY HAVE NO APP NEVER HAVE, AND THAT THEY HAVE CONTACTED GOOGLE PERSONALY, BUT GOGGLE STILLHAD IT TO DOWNLOAD WHEN I CHECKED,,,,,, Is this not the actions of a company who are prepared mno matter what to protect there reputable reputation by the means of 3 WISE MONKEYS SEE FOX ALL HEAR FOX ALL AND THE BIG BIT OF CRIME SAY NOTHING BECAUSE PUBLICITY LIKE THAT WOULD TAKE A MASSIVE LETS LEAVE GOOGLE , BUT EVEN today they have allowed harrsed advertise products and been offering a new toolbar guess what another fifty or thousand what zodiac daftys ?? Well noJust folk who thought goggle a house hold name we trust like buy a tv get sony,,, buy guitar get gibson, BANKS DO IT COMPLAIN BOUT A UN AUTHORISED WITHDRAWL,,, FIRSTLY THEY WILL ACCUSE YOU, AND THEN TELL YOU THAT YOU MUST GET POLUCE.although in my view the bank charge us and promise our wealth is safe, GOGGLE WONT YOU, YOUR NAME NUMBER ADDRESS, LOCATION YOUR BROWSER HISTORY AND MORE WHO US FAMILY INFACT THEY WONT KNOW WHERE YOU ARE RIGHT NOW AS 5OU READ, TRUE AND WHEN WE SAY NO THEY SAY BYE CANT USE IT,,, So if we dont trust them its blackmail , today they told me they sent all my details to desktop0KR7RPI ,, my bank my WHOLE WORLD MY LIFE EVERYTHING firstly guys a have never used a desktop nor owned1. I know I am not a lier but last year they sent me 3 alerts of hacking, and all devices from a linux computer tomlaptop in france unknown to me,, fair play goggle, so why send all my info to a desk top which never been used on my acciunt in fact in the whole history of the account there has never been such a device used a desk top, can a remove this computerThey tell me about no a cant, but can inform me all my passwords for many finacial accounts, banks bookies credut cardsMy recovery accounts daughters numbers MY MOST PRIVATE THINGS went to desktop0KR7RPI 14th april 2019 to a location Named as united kingdom, ,, but if I let goggle do location it tells me an pinpoints to 25 homes, if a turn off it tells me am inA very very small town next to sea,,, A SAY GOGGLE A GUILTY OF AIDING AN A BETTING of helping hackers distribute BANKING TROJANS MALLWARES TO FRADUALANT STEAL MONEYS BECAUSE SINCE THE ABOVE THERES BEEN ANOTHER 5 OR MORE SEPARATE TIMES ININVOLING PROBALY HUNDREDS A THOUSANDS IF NOT MILLIONS THEY ARE STILL AT IT WHY STOP, IF A HELD WINDOW OPEN FOR HOUSE BREAKER AN DROVE HIM HOME this article would no be here, I be singing the blues in jail
Thank you for the information.I am not as my brother as skilled with computers and this accelerated technological development, a very ready man to learn while he is alive.
24871163247251458563834589194427930297
Yep
The zodiac predictions never said by way, a flow of information will lie and denie you your privacy,The wrath of the trojan mind will display your wealth across a stream, as goggle unleashes the dark thieves who Take all your dreams desires and ahhh its gone my crystal balls need another good rub
best cvv shop reddit debit card dumps free