Android malware contaminated greater than 300,000 gadgets with banking trojans

The preliminary apps in Google Play had been secure, however the creators discovered a manner across the Play Retailer’s protections to put in malware on Android customers’ gadgets. Here is the way it occurred and how one can keep secure.

Picture: iStockphoto/solarseven

A November report from ThreatFabric revealed that greater than 300,000 Android customers unknowingly downloaded malware with banking trojan capabilities, and that it bypassed the Google Play Retailer restrictions.

The cybercriminals developed a technique for efficiently infecting Android customers with completely different banking trojans, that are designed to achieve entry to consumer account credentials. Step one was to submit apps to the Google Play Retailer that had virtually no malicious footprint and that really seemed like purposeful, helpful functions, equivalent to QR Code scanners, PDF scanners, cryptocurrency-related apps or fitness-related apps.

As soon as launched, these apps requested the consumer to do an replace, which was downloaded exterior of the Google Play Retailer (sideloading approach) and put in the malicious content material on the Android gadget.

SEE: Password breach: Why popular culture and passwords don’t combine (free PDF) (TechRepublic)

So, whereas the preliminary utility didn’t comprise something malicious, it supplied a technique to set up the malicious content material after the set up was finished, making it totally invisible to the Google Play Retailer.

The attackers had been cautious sufficient to submit an preliminary model of their functions, which didn’t comprise any obtain or set up performance, and later up to date the functions on the Google Play Retailer with extra permissions, permitting the obtain and set up of the malware. They’ve additionally set restrictions by utilizing mechanisms to make sure the payload was solely put in on actual victims’ gadgets and never testing environments, making it even tougher to detect.

ThreatFabric found 4 completely different banking Trojan households: Anatsa, Alien, Hydra and Ermac, with Anatsa being probably the most widespread.

The safety of the Google Play Retailer

Google Play is the key repository for Android functions, and any developer can submit his or her personal utility to the Play Retailer. The submitted utility will then undergo an app evaluation course of to make sure that it’s not malicious and doesn’t violate any of the developer insurance policies.

SEE: Google Chrome: Safety and UI ideas it’s essential know (TechRepublic Premium)

These insurance policies principally contain guaranteeing that the content material of the app is suitable, that it doesn’t impersonate or copy different apps or folks, that it complies with monetization insurance policies, and supplies minimal performance (it shouldn’t crash on a regular basis, and it ought to respect the consumer expertise).

On the safety facet, apps submitted ought to after all not be malicious: It shouldn’t put a consumer or their knowledge in danger, compromise the integrity of the gadget, achieve management over the gadget, allow remote-controlled operations for an attacker to entry, use or exploit a tool, transmit any private knowledge with out ample disclosure and consent, or ship spam or instructions to different gadgets or servers.

Google’s course of to look at submitted functions additionally contains permission verifications. Some permissions or APIs, thought-about delicate, want the developer to file particular authorization requests and have it reviewed by Google to make sure the appliance does really want these.

Malware and PUA on the Google Play Retailer

Whereas being very conscious and actively deploying fixed new strategies to sort out malware, the Google Play Retailer can nonetheless be bypassed in uncommon circumstances. The entire evaluation course of utilized to utility submissions for the Google Play Retailer makes it actually exhausting for cybercriminals to unfold malware by way of the platform although it’s sadly nonetheless attainable.

SEE: Password breach: Why popular culture and passwords don’t combine (free PDF) (TechRepublic)

A examine launched in November 2020 by the NortonLifeLock Analysis Group revealed that amongst 34 million APKs unfold on 12 million Android gadgets, between 10% and 24% of it might be described as malicious or doubtlessly undesirable functions, relying on completely different classifications. Of these functions, 67% had been put in from the Google Play Retailer. The researchers point out that “the Play market is the primary app distribution vector accountable for 87% of all installs and 67% of undesirable installs. Nonetheless, its is barely 0.6% vector detection ratio, exhibiting that the Play market defenses in opposition to undesirable apps work, however nonetheless vital quantities of undesirable apps are capable of bypass them, making it the primary distribution vector for undesirable apps. In the long run, customers usually tend to set up malware by downloading it from internet pages by way of their gadget browsers or from different marketplaces.

How you can shield your Android gadget from malware

With a number of steps, it’s attainable to considerably cut back the chance of getting an Android gadget being compromised.

  • Keep away from unknown shops. Unknown shops sometimes don’t have any malware detection processes, not like the Google Play Retailer. Don’t set up software program in your Android gadget which comes from untrusted sources.
  • Rigorously examine requested permissions when putting in an app. Functions ought to solely request permissions for obligatory APIs. A QR Code scanner shouldn’t ask for permission to ship SMS, for instance. Earlier than putting in an utility from the Google Play Retailer, scroll down on the app description and click on on the App Permissions to examine what it requests.
  • Rapid request for replace after set up is suspicious. An utility that’s downloaded from the Play Retailer is meant to be the newest model of it. If the app asks for replace permission on the first run, instantly after its set up, it’s suspicious.
  • Verify the context of the appliance. Is the appliance the primary one from a developer? Has it only a few critiques, possibly solely five-star critiques?
  • Use safety functions in your Android gadget. Complete safety functions needs to be put in in your gadget to guard it.

Disclosure: I work for Development Micro, however the views expressed on this article are mine.

Leave a Comment