14 DAY TRIAL // If you ever thought Google has finally cleaned the Google Play store of banking Trojans you're in for a big surprise: 29 other infected Android apps have been found from August until early October 2018 in the official store.
As discovered by ESET's malware researcher Lukas Stefanko, the banking Trojans were camouflaged as a wide variety of Android apps, possibly for reaching a bigger audience, spanning multiple categories from horoscope and utility apps to system cleaners and boosters.
The apps in question put a lot of effort into staying as stealthy as possible and avoiding detection, unlike previously discovered malicious apps which masqueraded as fake banking apps and used straightforward phishing forms to try and collect their targets' banking credentials.
As reported by Stefanko, the 29 infected apps were removed by Google from the Play store after the search giant was notified, although the actors behind the banking Trojans masquerading as legitimate apps were able to have them installed by around 30,000 users.
As opposed to the fake banking apps we mentioned above, the banking Trojans Stefanko found this time, are a lot more complex and use a more sophisticated approach to steal banking info from their victims.
Moreover, they are capable of impersonating any application installed on the compromised Android device by using the HTML code of the app they want to mimic to create overlays with forms designed to steal and exfiltrate credentials.
The 29 banking Trojans were able to perfectly impersonate any app on the compromised device using overlays
This is not the first time banking Trojans have been observed to use the form overlay phishing technique, as Lukas Stefanko also discovered a banking Trojan posing as a legitimate phone call recording app a month ago, which used overlays to bypass SMS 2FA and steal banking information.
The malicious apps were using a multi-stage infection routine, with the first stage being a dropper designed to check for sandboxes and emulators and download the malware payload when being sure that it's running on a real Android device.
Besides capturing banking information and exfiltrating it to the actors who controlled them, the camouflaged banking Trojans were also capable of "intercept and redirect text messages to bypass SMS-based two-factor-authentication, intercept call logs, and download and install other apps on the compromised device," according to Stefanko.
Furthermore, "These malicious apps were uploaded under mostly different developer names and guises, but code similarities and a shared C&C server suggest the apps are the work of a single attacker or group."
The researcher also listed a number of mitigation measures to make sure that your device will not be compromised by a banking Trojan advising Android users to download their apps only from the Google Play store, check all the info on the apps' Google Play entries, and pay extra attention to the permissions the apps ask for when installing them.
