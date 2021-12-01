In four months, more than 300,000 Android users downloaded password-stealing banking trojans that appear to have bypassed the Google Play Store’s malware detection measures.

That is according to research from cybersecurity firm ThreatFabric, which found that malicious actors were using well-disguised dropper apps to deliver malicious code to compromise users’ devices.

ThreatFabric identified four families of malware — Anatsa, Alien, Hydra, and Ermac — being spread through various apps.

Of these, Anatsa was the most commonly downloaded malware family, with more than 200,000 downloads.

The image below shows the number of downloads for each malware family and the specific regions targeted.

ThreatFabric explained Anatsa was an advanced Android banking trojan with remote access semi-automatic transfer system capabilities.

It can also perform classic overlay attacks to phish credentials, use accessibility logging to capture everything shown on the user’s screen, and log keystrokes.

The malicious apps on the Google Play Store that attackers used to deploy Anatsa typically posed as free QR code scanners, PDF scanners, or cryptocurrency apps.

ThreatFabric warned that the malicious actors behind them went to great efforts to make the apps appear inconspicuous.

In their original form on the store, they might not even have any of the malicious code.

“These apps indeed possess the claimed functionality. After installation, they do operate normally and further convince the victim in their legitimacy,” ThreatFabric said.

However, after the app is opened, users might be presented with a message that tells them they need to download an update for the app to work.

With numerous positive reviews from existing users and a high number of installations, the user is convinced into enabling the installation of the update from an unknown source.

The malicious code is then downloaded and installed from the attackers’ command-and-control server.

Some of the offending apps are shown in the images below.

ThreatFabric also explained the malicious actors were finding smart ways to bypass Google’s malware policing.

“Besides improved malware code efforts, Google Play distribution campaigns are also more refined than previous campaigns,” ThreatFabric said.

“For example, by introducing carefully planned small malicious code updates over a longer period in Google Play, as well as sporting a dropper C2 backend to fully match the theme of the dropper app.”

In addition, ThreatFabric said the actors were deliberately controlling where Anatsa was deployed to prevent detection by Google.

“Despite the overwhelming number of installations, not every device that has these droppers installed will receive Anatsa, as the actors made efforts to target only regions of their interest.”

“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world.”

“This makes automated detection a much harder strategy to adopt by any organisation,” it added.