Over 300,000 Android users downloaded banking trojan malware

Hackers have managed to bypass Google Play app restrictions to chalk up over 300,000 banking trojan infections in just four months.

According to a blog post by security researchers at Threat Fabric, hackers have avoided being detected by Google Play by using smaller droppers in apps, reducing the number of permissions being asked of users and improving code as well as creating more convincing fake websites.

This has also made them difficult to detect from an automation (sandbox) and machine learning perspective, according to Threat Fabric.

“This small footprint is a (direct) consequence of the permission restrictions enforced by Google Play,” they said.

Hackers have also started carefully planned small malicious code updates over a longer period in Google Play, as well as sporting a dropper C2 backend to fully match the theme of the dropper app. The researchers cited an example here of a working fitness website for a workout-focused app.

“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization,” they said.

The 300,000 dropper installations came from just four types of malware. Anatsa (200,000+ installations); Alien (95,000+ installations) and Hydra/Ermac (15,000+ installations).

The largest, Anatsa, is an advanced Android banking trojan with RAT and semi-ATS capabilities. It carries out classic overlay attacks to steal credentials, accessibility logging (capturing everything shown on the user’s screen), and keylogging.

Researchers discovered the first dropper in June 2021 masquerading as an app for scanning documents. In total, researchers found six Anatsa droppers published in Google Play since June 2021.

A hacking group called Brunhilda dropped malware from established families, like Hydra, as well as novel ones, like Ermac. This posed as a QR code creator app. Both families have been very active in the last months according to researchers and have recently started appearing in the US.

The Alien campaign was also run by the Brunhilda group. This used a fake fitness app to spread.

“This dropper, that we dubbed “Gymdrop”, is another example of how cybercriminals try to convince victims and detection systems that their app is legitimate. The app website is designed to look legitimate at first glance. However, it is only a template for a gym website with no useful information on it, even still containing ‘Lorem Ipsum’ placeholder text in its pages,” said researchers.

Researchers said the attention dedicated by these hackers to evading unwanted attention renders automated malware detection less reliable.