300,000 Google Play users have been infected with Android banking malware

Malware campaigns distributing Android Trojans that steal online banking credentials have infected nearly 300,000 devices via malicious apps distributed through Google’s Play Store. When users log into online banking or cryptocurrency apps, Android banking Trojans delivered to compromised devices attempt to steal their credentials. Credential theft is usually carried out using fake banking login form overlays displayed above the login screens of legitimate apps. The stolen credentials are then sent back to the attacker’s servers, where they are gathered and sold to other threat actors or used to steal cryptocurrency and cash from victims’ accounts.

Additionally, ThreatFabric found that these apps were only distributed in specific regions or at later dates to further evade detection by Google and antivirus vendors. “This oversight by Google has forced actors to find ways to drastically reduce the footprint of dropper apps. In addition to improving malicious code efforts, Google Play distribution campaigns are also more refined than campaigns. previous releases,” ThreatFabric researchers explain in their new report.

In a new report from ThreatFabric, researchers explain how they discovered four different malware distribution campaigns distributing banking Trojans on the Google Play Store. While threat actors infiltrating the Google Play Store with Android banking Trojans are nothing new, recent changes to Google policies and increased enforcement have forced threat actors to evolve their tactics. to escape detection. its evolution includes creating small, realistic apps that focus on common themes such as fitness, cryptocurrency, QR codes, and PDF scanning to entice users to install the app. Then, to add additional legitimacy to apps, threat actors create websites that match the theme of the app to help pass reviews by Google.

“For example, introducing small, carefully planned malicious code updates over a longer period of time in Google Play, as well as sporting a C2 dropper backend to fully match the theme of the dropper app (e.g., a site Functional Fitness web for workout oriented app).” However, once these “dropper” applications are installed, they will silently communicate with the threat author’s server to receive commands.When ready to distribute the banking Trojan, the threat author’s server of the threat instructs the installed app to perform a fake “update” that “removes” and launches the malware on the Android device.

Summary of news:

  • 300,000 Google Play users have been infected with Android banking malware
  • Check out all the news and articles from the latest security news updates.

Comments are closed.