Researchers at cybersecurity firm ThreatFabric have unearthed four different Android banking trojans that were distributed via Google play store between August and November 2021 and infected more than 300,000 devices through multiple dropper apps.
According to Threatfabric analysts, the dropper apps were manufactured to distribute the Android banking trojan Anatsa, Alien, ERMAC, and Hydra, and the malware campaign was designed in such a refined way that payloads were installed only on smartphones devices from specific areas and restricting the malware from being downloaded during the publishing process.
Once installed, this banking malware can perform classic overlay assaults to siphon user passwords and SMS-based two-factor authentication codes, keystrokes, screenshots, and even drain users' bank accounts without their knowledge by using a weapon called Automatic Transfer System (ATSs). The apps have since been removed from the Play Store.
“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization,” reads the analysis published by the Threatfabric researchers.
“VirusTotal does not showcase the evolution of detections of antivirus products over time, but almost all campaigns have or had a 0/62 FUD score on VirusTotal at some point in time, confirming the difficulty of detecting dropper apps with a minimal footprint.”
The list of malicious dropper apps is below -
• Two Factor Authenticator (com.flowdivison)
• Protection Guard (com.protectionguard.app)
• QR CreatorScanner (com.ready.qrscanner.mix)
• Master Scanner Live (com.multifuction.combine.qr)
• QR Scanner 2021 (com.qr.code.generate)
• QR Scanner (com.qr.barqr.scangen)
• PDF Document Scanner – Scan to PDF (com.xaviermuches.docscannerpro2)
• PDF Document Scanner Free (com.doscanner.mobile)
• CryptoTracker (cryptolistapp.app.com.cryptotracker)
• Gym and Fitness Trainer (com.gym.trainer.jeux)
Additionally, researchers uncovered multiple samples dropped by the Brunhilda hacking group, which was also responsible for spreading the Vultur Trojan in July 2021. In one case, the researchers observed Brunhilda masquerading as a QR code creator app used to drop Hydra and Ermac malware targeting users in the United States, a market previously not targeted by the two malware families.
“In the span of only 4 months, 4 large Android families were spread via Google Play, resulting in 300.000+ infections via multiple dropper apps. A noticeable trend in the new dropper campaigns is that actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques,” researchers concluded.
