After too many attempt of Google, anti-malware protections and infect Android users with malware is still as it was.
Two such Android apps have recently spotted on the Android’s Play Store by security researchers with the Trend Micro malware research team. It infects thousands of Android users who have already downloaded them with banking malware.
The apps in question masquerade as a currency exchange app called Currency Converter and another is battery saver app called BatterySaverMobi. They are using motion-sensor inputs of infected Android devices to monitor them before installing a dangerous banking Trojan called Anubis.
The malicious Android apps collected some with a large number of fake five-star reviews, use this clever trick instead of traditional evasion techniques.
The researchers explain in a blog post that, “As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data”.
They added “If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.”
Once downloaded, such malicious app it uses the infected device’s motion sensor to detect whether or not the user or the device is moving. If both the device and user are stand still, the malicious code will not run. As soon as it detects some motion on the sensor, the app runs the malicious code and then tries to trick the infected device to downloading and installing the malicious Anubis payload APK with a bogus system update, masquerading as a “stable version of Android.”
If the user approves the fake system update, the in-built malware dropper uses requests and responses over legitimate services including Twitter and Telegram to connect to its required command and control (C&C) server and downloads the Anubis banking Trojan on the infected device.
The researchers explain that, “One of the ways the app developers hide the malicious server is by encoding it in Telegram and Twitter web page requests. The bank malware dropper will request Telegram or Twitter after it trusts the running device”.
“Then, it registers with the C&C server and checks for commands with an HTTP POST request. If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background.”
Once compromised, the Anubis banking Trojan obtains users’ baking account credentials either by using a built-in keylogger or by taking screenshots of the users’ screen when they insert credentials into any banking app.Usually, banking Trojans launch a fake overlay screen on the top of bank account login pages to steal banking credentials.
According to the Trend Micro researchers, the latest version of Anubis has been distributed to 93 different countries and targets users of at least 377 variations of financial apps to extract bank account details.
The banking Trojan also has the ability to gain access to contact lists and location, send spam messages to contacts, call numbers from the device, record audio, and alter external storage.
Google has completely removed the two malicious apps from its Play Store. Although, it is not the last member of of the malicious list, some apps are still in the Play Store.
As a user, be careful when downloading applications from Play Sore and double check its required permissions.