Banking Trojan Outwits Google Verify Apps Scanner

A banking Trojan hiding in a casino app was removed from Google Play. The malware slipped past Google Verify Apps malware scanner and get into the marketplace.

Google Play’s first line of defense against malware was circumvented by attackers who managed to sneak a malicious app called “Black Jack Free” into the official app store. The app was discovered by Lookout Security and removed by Google last week. Lookout estimates that 5,000 people downloaded the app that can siphon financial data from phones, intercept SMS messages and drop additional malicious apps onto a targeted phone.

Google relies on the automated system called VerifyApps to vet apps submitted to the Google Play app store. It isn’t perfect, but security experts say they are surprised that something as glaring as a banking Trojan was able to slip past Google’s defenses.

“The greatest danger to Android users are apps downloaded from third-party stores,” said Christoph Hebeisen, manager of security research and response at Lookout. “What this Trojan shows is that people, even when behaving sensibly and only downloading apps only from Google Play, can still get hit by malware.”

Lookout said the app contains a variant of the Acecard malware that has been on its radar screen for months. This variant, Hebeisen said, was bundled with the casino game Black Jack Free. Once the app was installed, Acecard went to work and attempts to download and install a secondary app called Play Store Update, according to a Lookout blog post announcing its discovery Monday. This second app, Play Store Update, is actually an overlay Trojan “that displays overlay windows over legitimate banking apps and some other popular apps such as Facebook and Skype to trick people into entering their online banking credentials and credit card information,” according to Lookout.

“This is not a technical first. It’s not unique in what it does. But put the whole bunch of things together – and add the fact it managed to get into the Google Play store – and that combination of events doesn’t happen frequently,” Hebeisen said.

Increasingly, the challenge for attackers isn’t to write brilliant zero day exploits. Rather, more attention is being spent on how to fly under the radar of app store watchdogs, whether it be Apple’s App Store or Google Play, Hebeisen said. Earlier this year Apple gave an iOS app the boot from its Chinese iTunes App Store after attackers created a malicious app specifically designed to evade Apple’s app reviewers. To add insult to injury, security experts are also seeing a rise a black market for overlay malware. Last month, security researchers at IBM’s X-Force reported a flood of new variants of overlay malware in recent months.

Hebeisen said in the case of the Acecard malware, the attackers were able to avoid detection because at first Black Jack Free appeared benign. “All the attackers were interested in doing was gaining a persistent foothold onto the device,” he said.

In addition to overlay malware, the app was also capable of intercepting SMS messages and forwarding them to a malware server, sending SMS messages while impersonating the owner of the device, forwarding phone calls, locking the device screen, and wiping all user data from the device, said Lookout in its report.

Based on services and banks targeted, attackers were focused on Android users in the U.S., Poland, Germany and Portugal, Lookout reported.

Suggested articles

Discussion

  • Lee on

    In this case, it appears that 'allow mock installations' and installs from other sources would be required for the secondary malicious app to succeed.
    • Anonymous on

      allow 'unknown sources' not needed, since original app is already in google store it can download more modules like the malware in this case.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.