Investigators said they did found a group of apps downloaded from Google Play more than 300,000 times before these apps were revealed to be bank Trojan that hides user passwords and authenticated duplicate codes, input keys, and graphics.
These programs include QR scanners, PDF scanners, and crypto currency wallets – belonged to four different families of Android malware that were distributed for four months. He used a number of methods to avoid restrictions Google plans to try to stop the permanent distribution of fraudulent software in its legal market. The restrictions include banning the use of access to access by visually impaired persons to prevent the installation of applications without the consent of users.
“What makes these Google Play distribution campaigns so difficult to identify from the sandbox and machine learning system is that all apps have a small problem,” researchers at ThreatFabric’s mobile security company wrote in the press. post. “These small effects are the (direct) effect of permissions established by Google Play.”
Instead, the campaigns have a better program in the first place. Once the app was installed, users received a notification prompting them to download the modified version. These programs often require changes to be downloaded from other people, but by then most users had begun to trust them. Most programs initially had zero obvious malware checkers available on VirusTotal.
The software flew under the radar using other methods. In many cases, malware users automatically detect malicious behavior after detecting an infected phone or making frequent changes.
“This incredible precautionary measure against the unwanted attention makes the detection of malware very reliable,” said the ThreatFabric post. “This assumption is confirmed by the very low VirusTotal number of low-profile people we surveyed in this blog.”
The family of a malware program that causes many diseases is called Anatsa. “The best Trojan for Android bank” offers a wide range of possibilities, including remote access and automatic transfer systems, which simply removes the accounts of the victims and sends the contents of the account to the users of the malware program.
The researchers wrote:
Anatsa’s transmission system looks like this: when starting the installation from Google Play, the user is forced to change the app to continue using the app. At this point, [the] Anatsa’s fees are downloaded from the C2 server (s) and placed on the victim’s device unexpectedly.
The players took care to make their programs look legitimate and useful. There are many positive reviews for these programs. The sheer volume of settings and the availability of reviews can attract Android users to launch the app. In addition, the software has functionality that states; after installation, they perform the operation successfully with additional verification [the] victim [of] their validity.
Despite the number of installations, not every device with these droppers will receive Anatsa, as the performers have tried to follow their favorite components.
The other three malware families found by the researchers were Alien, Hydra, and Ermac. One of the downloads used to download and place bad pay was known as Gymdrop. It used filter rules based on the type of device containing the virus to prevent the targeting of the search equipment.
“If everything is met, the fees will be reduced and set,” the post said. “This downloader no longer requests access to the Accessibility Service; it only asks for a license to install a package, decorated with the promise of setting up a new gym – to persuade the user to issue this license. When in doubt, payment starts. [the] Alien banking Trojan. “
When asked to comment, a Google spokesman pointed this post from April to detail the company’s methods of detecting malicious programs sent to Play.