Even though the malware authors keep looking for loopholes in the vigilance of Android users by slipping in banking Trojans under the guise of various apps into the Google Playstore, a security firm has pinned down a set of 29 sneaky Trojans found on the Play store hosted from August until early October 2018, masking as horoscope-themed apps, battery managers, device cleaners and boosters.
These apps come from the category of sophisticated mobile banking malware heavily focusing on stealth and possessing complex functionality, unlike the prevailing malware that completely relies on feigning authentic financial institutions and displaying false login screens.
These Trojans that are controlled remotely are capable enough of vigorously aiming at any apps found on the user’s mobile with spot-on phishing forms. Apart from this, these malwares can redirect and intercept text messages to evade SMS-based two-factor-authentication, interrupt call logs, and download and install various apps on the infected device.
Although the malwares were uploaded under different developer names and guises, their code similarity and shared C&C server gave away the secret that these apps belong to a single attacker or group.
The 29 malicious apps have been taken down from the Google Play Store as ESET and associate researchers acquainted Google of their malicious nature and were pulled from the store.
How do they operate?
After being launched the apps display an error stating that due to incompatibility with the user’s device they have been removed and then go on to veil themselves from the user’s view or deliver the assured functionality like displaying horoscopes.
Irrespective of which of the above activities one of these apps showcases, the prime malicious functionality is concealed in each app’s encrypted payload assets. Using base64, this payload is then encrypted with an RC4 cryptogram with the help of a hardcoded key.
The first stage of the malware’s execution is a dropper that inspects the presence of a sandbox or an emulator. If these inspections go pear-shaped, it then drops a loader and a payloader containing the actual banking malware after the dropper decrypts. Some of these apps that were analyzed possessed more than one stage of these encrypted payloads.
The final payload impersonates banking apps installed on the victim’s device, send and intercept SMS messages, download and install additional applications of the operator’s select. The most fascinating feature is that the malware can spontaneously mimic any app installed on the infected device.
This is done after extracting the HTML code of the apps installed on the device and use the code to cover valid apps with fake forms as soon as the authentic apps are launched. This, in turn, gives the victim very little chance to observe that something is amiss.
How to stay safe
Luckily these banking Trojans never engage advanced tricks to safeguard their continuation on affected devices. Consequently, if you notice that you have installed any such apps, you can just uninstall them under Settings > (General) > Application manager/Apps.
We further advise you to make sure that no suspicious transactions are made from your bank account and if done so consider changing your internet PIN code/password.
To make sure that you don’t fall victim to such banking malware, here are some precautions that you can consider:
- Download apps only from Google Playstore, however, this does not ensure the authenticity of the apps. But such apps are found commonly on the third-party app stores, where unlike on Google Play they are rarely hardly pulled down after being identified as malware.
- Before downloading the app from the official android store, make sure that you check its content of reviews, the number of downloads, and app ratings.
- Pay attention to the permissions that you grant the app while installing.
- Use a trustworthy mobile security solution and update your Android device from time to time.