Two new malware campaigns target Android users through Google Play route

Security vulnerabilities in Android OS have been long exploited by hackers to their advantage, resulting in wide-ranging mayhem and business loss. Such occurrences have become increasingly visible both in terms of scale and audacity. Two recent examples of such security breaches reinforce how adopting a robust security framework is no longer an “option” but has become a necessity to protect applications from the ever-looming security threats. Android users were the primary target group of these security attacks, which infected devices primarily through malicious apps on Google Play.

The first of these threats were identified by Trend Micro, which involved attackers spreading malware using nine malicious Android apps. They recognized themselves as a utility, optimizer, and booster applications. Installing these apps downloaded malware too, which was used to manipulate data on target devices. This threat campaign was found to be active since 2017 and was used to perform mobile ad fraud. Upon analysis, it came to light that almost 3,000 variants of malware existed on the compromised devices.

In the garb of providing performance enhancement features, like optimization and cleaning and deleting files, these apps were downloaded more than 470,000 times. These apps downloaded malicious payloads along with them, which sat in the host mobile devices as system applications without showing up in the device application lists. The malware variant was then used to post fake positive reviews about malicious apps, enhancing their credibility and driving more downloads, thus triggering a vicious cycle.

Speed Clean was one such malicious app that promised enhanced mobile performance. While using the app, ads popped up, which is seemingly innocuous behavior. But, in the background, malicious activity happened, including establishing connections with remote ad configuration servers to register the malware and started pushing malicious ad content to users, performing ad fraud in the process. This also involved tricking users into enabling accessibility permissions in compromised devices, which deactivated Google Play Protect’s security features. This resulted in more malware getting downloaded onto the compromised device without the user’s knowledge. The malicious apps also had the capability to login using the user’s Google and Facebook accounts.

The malware’s clandestine operations went unnoticed for about three years before their intent was discovered. They stand removed from Google Play now. Japan, Taiwan, the US, India, and Thailand figured among the regions most impacted by this campaign.

The second campaign was discovered by Cofense, which involved spreading Anubis banking Trojan through phishing emails. Originally modeled for cyber espionage, this powerful Trojan can completely hijack an Android device, steal data, and encrypt host device files using RC4, thus act as powerful ransomware!

Anubis boasts of a host of powerful capabilities, which include capture screenshots, make phone calls, record audio, lock device, capture contacts, send and manage messages, retrieve location, search files, read device ID, etc. 

Distributed via phishing emails as an Android package, the unsigned Android application asks the user to give app permissions upon download. Modeling this as the permission to enable Google Play Protect, this enables the Trojan to steal device data and disable the original Play Protect. The installed app then gathers information about all installed applications on the affected device and compares them against a list of target apps, especially banking and fintech apps. Once an app is identified, Anubis overlays the target app with a login page to capture the user’s credentials. A keylogger is also packaged with the malware, which could capture all the keystrokes performed by the host device’s user.

Developers and security architects need to consider such attacks while developing their apps so that a vulnerability introduced by a careless user does not allow hackers to access their apps. In such situations, AppSealing’s RASP protection layers can guard apps against exploitation by malware introduced by malicious apps and provide scalable robust security framework in minutes without any coding. With 600+ apps leveraging the power of AppSealing to stay protected in an increasingly complex threat landscape, it is high time you opt for AppSealing too!