Android malware contaminated greater than 300,000 units with banking trojans
6 mins read

Android malware contaminated greater than 300,000 units with banking trojans


The preliminary apps in Google Play have been protected, however the creators discovered a manner across the Play Retailer’s protections to put in malware on Android customers’ units. Here is the way it occurred and how one can keep protected.

Female hand using mobile smart phone with icon graphic cyber security network of connected devices and personal privacy data information

Picture: marchmeena29, Getty Photos/iStockphoto

A November report from ThreatFabric revealed that greater than 300,000 Android customers unknowingly downloaded malware with banking trojan capabilities, and that it bypassed the Google Play Retailer restrictions.

The cybercriminals developed a technique for efficiently infecting Android customers with totally different banking trojans, that are designed to achieve entry to consumer account credentials. Step one was to submit apps to the Google Play Retailer that had virtually no malicious footprint and that truly regarded like useful, helpful functions, comparable to QR Code scanners, PDF scanners, cryptocurrency-related apps or fitness-related apps.

As soon as launched, these apps requested the consumer to do an replace, which was downloaded outdoors of the Google Play Retailer (sideloading approach) and put in the malicious content material on the Android gadget.

SEE: Password breach: Why popular culture and passwords do not combine (free PDF) (TechRepublic)

So, whereas the preliminary utility didn’t comprise something malicious, it offered a approach to set up the malicious content material after the set up was performed, making it totally invisible to the Google Play Retailer.

The attackers have been cautious sufficient to submit an preliminary model of their functions, which didn’t comprise any obtain or set up performance, and later up to date the functions on the Google Play Retailer with extra permissions, permitting the obtain and set up of the malware. They’ve additionally set restrictions by utilizing mechanisms to make sure the payload was solely put in on actual victims’ units and never testing environments, making it even tougher to detect.

ThreatFabric found 4 totally different banking Trojan households: Anatsa, Alien, Hydra and Ermac, with Anatsa being probably the most widespread.

The safety of the Google Play Retailer

Google Play is the main repository for Android functions, and any developer can submit his or her personal utility to the Play Retailer. The submitted utility will then undergo an app evaluate course of to make sure that it isn’t malicious and doesn’t violate any of the developer insurance policies.

SEE: Google Chrome: Safety and UI ideas you should know (TechRepublic Premium)

These insurance policies largely contain guaranteeing that the content material of the app is acceptable, that it doesn’t impersonate or copy different apps or folks, that it complies with monetization insurance policies, and offers minimal performance (it mustn’t crash on a regular basis, and it ought to respect the consumer expertise). 

On the safety facet, apps submitted ought to after all not be malicious: It mustn’t put a consumer or their information in danger, compromise the integrity of the gadget, achieve management over the gadget, allow remote-controlled operations for an attacker to entry, use or exploit a tool, transmit any private information with out ample disclosure and consent, or ship spam or instructions to different units or servers.

Google’s course of to look at submitted functions additionally consists of permission verifications. Some permissions or APIs, thought-about delicate, want the developer to file particular authorization requests and have it reviewed by Google to make sure the appliance does actually need these.

Malware and PUA on the Google Play Retailer

Whereas being very conscious and actively deploying fixed new strategies to deal with malware, the Google Play Retailer can nonetheless be bypassed in uncommon instances. The entire evaluate course of utilized to utility submissions for the Google Play Retailer makes it actually arduous for cybercriminals to unfold malware through the platform although it’s sadly nonetheless doable.

SEE: Password breach: Why popular culture and passwords do not combine (free PDF) (TechRepublic)

A examine launched in November 2020 by the NortonLifeLock Analysis Group revealed that amongst 34 million APKs unfold on 12 million Android units, between 10% and 24% of it may very well be described as malicious or doubtlessly undesirable functions, relying on totally different classifications. Of these functions, 67% have been put in from the Google Play Retailer. The researchers point out that “the Play market is the principle app distribution vector liable for 87% of all installs and 67% of undesirable installs. Nonetheless, its is simply 0.6% vector detection ratio, exhibiting that the Play market defenses in opposition to undesirable apps work, however nonetheless vital quantities of undesirable apps are capable of bypass them, making it the principle distribution vector for undesirable apps. In the long run, customers usually tend to set up malware by downloading it from internet pages through their gadget browsers or from different marketplaces.

How one can defend your Android gadget from malware

With just a few steps, it’s doable to considerably cut back the chance of getting an Android gadget being compromised.

  • Keep away from unknown shops. Unknown shops sometimes don’t have any malware detection processes, not like the Google Play Retailer. Do not set up software program in your Android gadget which comes from untrusted sources.
  • Rigorously examine requested permissions when putting in an app. Functions ought to solely request permissions for mandatory APIs. A QR Code scanner mustn’t ask for permission to ship SMS, for instance. Earlier than putting in an utility from the Google Play Retailer, scroll down on the app description and click on on the App Permissions to examine what it requests.
  • Fast request for replace after set up is suspicious. An utility that’s downloaded from the Play Retailer is meant to be the newest model of it. If the app asks for replace permission on the first run, instantly after its set up, it’s suspicious.
  • Examine the context of the appliance. Is the appliance the primary one from a developer? Has it only a few critiques, perhaps solely five-star critiques?
  • Use safety functions in your Android gadget. Complete safety functions must be put in in your gadget to guard it.

Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.

Additionally see

Leave a Reply

Your email address will not be published. Required fields are marked *