Cybersecurity researchers in ThreatFabric spoke in detail about a family of malicious programs that were not detected by the app store Google games and that he could reveal passwords for hundreds of thousands of people. Trojans to steal Android passwords masqueraded as readers QR code, fitness monitors, applications for working with cryptocurrency and others, according to the publication on the website ZDNet…
More than 300,000 smartphone users Android downloaded this malware for banking Trojans.
According to ThreatFabric researchers, four different types of malware are delivered to victims through malicious versions of frequently downloaded applications such as document scanners, QR code readers, fitness monitors and cryptocurrency applications.
Apps disguise their malicious intent in real-world functions, encouraging users to download and install the app without being detected by the Play Store.
The Anatsa malware is one of four well-documented by researchers and has been installed by over 200,000 Android users. Researchers call it an “advanced” banking Trojan.
“Anatsa is a very advanced Trojan for Android with RAT and semi-ATS capabilities. It can also perform classic overlay attacks to steal credentials, accessibility logging (hijacking whatever is displayed on the user’s screen), and keeping keyloggers. ThreatFabric has previously reported cases of Anatsa being distributed alongside Cabassous as part of virus-killing campaigns across Europe, ”the researchers write in a blog post.
The Anasta malware has been active since January, but in June 2021, researchers discovered the first dropper disguised as a document scanning app. In total, ThreatFabric analysts managed to identify 6 Anatsa droppers posted on Google Play since June 2021.
First of all, users become victims of phishing emails or fake advertising campaigns that lead victims to malicious applications.
One such application is the QR code scanner, which has been installed by only 50,000 users. But there were a lot of positive reviews on its download page that could have motivated people to download the app, ZDNet emphasizes.
Once downloaded, users are prompted to update the app to continue using it, and it is this update that connects to the C&C server and downloads the Anatsa payload to the device, the website reports, providing attackers with tools to steal bank details and other information.
Another malware family detailed by the researchers is Alien, a Trojan for Android that can also hijack two-factor authentication features that have been active for over a year and have received 95,000 installations via malicious apps in the Play Store.
One of the applications infected with this Trojan was a gym and fitness center. In this case, the app was still accompanied by a website to make it look even more legitimate, which also served as the command and control center for the Alien malware.
Like Anasta, after the initial download, users are forced to perform a fake app update in order to use it, which balances the load.
Hydra and Ermac, with at least 15,000 downloads, were other forms of malware detailed by ThreatFabric researchers, identified as the source of the attack by cybercriminal group Brunhilda, known for attacking Android devices with banking malware.
According to ZDNet, ThreatFabric reported all malicious apps to Google and they have either been removed or are under review.
“The Android banking malware ecosystem is evolving rapidly. These numbers, which we are now seeing, are the result of a slow but inevitable shift in focus from criminals to the mobile environment. With this in mind, the Google Play Store is the most compelling platform to use. to serve malware, ”ThreatFabric mobile malware expert Dario Durando told ZDNet.
With information from ZDNet
