Google Play has removed two malicious apps that were infecting devices with a notorious banking malware bent on scooping up victim’s credentials.
The two apps, Currency Converter and BatterySaverMobo, purported to be useful mobile tools that help users calculate currency and optimize mobile battery life, researchers with Trend Micro said in a Thursday analysis. But in reality, they were dropping a malicious payload – linked to the Anubis banking malware – onto devices, and using a swathe of tricks to evade detection.
“Gaps in mobile security can lead to severe consequences for many users because devices are used to hold so much information and connect to many different accounts,” Kevin Sun, mobile threat analyst with Trend Micro, said in the report. “Users should be wary of any app that asks for banking credentials in particular, and be sure that they are legitimately linked to their bank.”
Overall, researchers found that the latest version of Anubis has been distributed to 93 different countries and targets the users of 377 variations of financial apps to farm account details.
The malware also enables attackers to access contact lists and device location; and it has the capabilities to record audio, send SMS messages, make calls and alter external storage. Anubis can use these permissions to send spam messages to contacts, call numbers from the device and other malicious activities, Sun said.
The two apps hid their malicious capabilities well, researchers said. BatterySaverMobo for instance logged more than 5,000 downloads (the majority of them in Japan) before it was removed from the Google Play marketplace, and had a review score of 4.5 from more than 70 users, making it appear to be legitimate (though Sun said some of the reviews may not have been valid).
Upon further investigation, researchers saw that the apps both dropped a payload that they could “safely” link to the Anubis malware – a banking trojan that has been spotted as part of several previous Google Play campaigns.
Anubis was seen in a June campaign by IBM’s X-Force team, when 10 malicious downloaders disguised as various Google Play applications that were fetching the mobile banking trojan and running it on Android devices.
“Upon analysis of the payload, we noted that the code is strikingly similar to known Anubis samples,” Sun said. “And we also saw that it connects to a command and control (C&C) server with the domain aserogeege.space, which is linked to Anubis as well.”
Once app is downloaded, the malicious code begins to run and then tricks victims with a fake system update on their phone. When users click that update, the app then downloads and installs its payload APK. From there, the malware runs an array of tricky tactics and techniques to avoid evasion and ultimately collect victims’ credentials.
While many mobile trojans launch a fake overlay screen that then steals credentials that are input into that overlay, Anubis operates a bit differently.
The malware instead uses a built-in keylogger that can steal a users’ account credentials by recording what they type. It can also take a screenshot of the infected users’ screens.
Anubis displays various evasion techniques to hide from device users. Once downloaded, for example, the malware tries to use motion sensor data to hide its activities.
The malicious app monitors the user’s steps through the device motion sensor – if a cell phone’s motion sensor indicates it is not moving, the malicious code will not run because a lack of sensor data may indicate that the device is running in a sandbox environment.
“As a user moves, their device usually generates some amount of motion sensor data,” Sun explained. “The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data. If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.”
Another trick that the app developers were hiding up their sleeves is disguising the malicious server by encoding it in Telegram and Twitter web page requests.
After download, the bank malware dropper requests Telegram or Twitter. Then it registers with the C&C server and checks for commands with an HTTP POST request. If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background.
Though they keep cropping up, Google Play has continued to weed out malicious apps delivering bad functions, from adware to mobile trojans.
Earlier this month, Google Play removed least 85 fake apps harboring adware, disguised as game, TV and remote control simulator apps. Once downloaded, the fake apps hide themselves on the victim’s device and continued to show a full-screen ad every 15 minutes.
Last year, Google removed 22 malicious adware apps ranging from flashlights, call recorders to WiFi signal boosters that had been downloaded up to 7.5 million times from the Google Play marketplace. And, an Android app booby-trapped with malware was recently taken down from Google Play in November — after being available for download for almost a year.