Android Apps Steal Banking Info, Use Motion Sensor to Evade Detection

Two Android apps infected with banking malware were found on the Google Play Store, already having been installed on thousands of Android devices and sporting dozens of fake five-star ratings.

The Trend Micro malware research team linked the malware payload found in the two apps with the Anubis banking Trojan based on code similarity and a shared command and control (C&C) server (i.e., aserogeege.space), known to have been targeting the Android platform for the last two years.

What sets the Currency Converter and BatterySaverMobi apps apart from other malware-ridden Android apps is their use of the motion sensors to detect if they've been installed in a malware analysis sandbox, in which case their malicious behavior will be stopped in its tracks. 

With the help of a fake system update screen, the malicious apps would try to trick the user into giving it administrator privileges by authorizing the fake update.

The built-in malware dropper will contact its C&C server using either Twitter or Telegram requests, and it will request commands using HTTP POST requests. The C&C server will then send an APK download link which will be installed by the dropper on the device.

Once the Anubis banking Trojan ends up on the compromised device, it starts collecting banking information using an inbuilt keylogger module or by taking screenshots when the user inserts credentials into banking apps, unlike other banking Trojans which use overlay screens for the same task.

As discovered by Trend Micro's researchers, the Anubis Trojan has been observed attacking 377 different bank applications from 93 countries all over the globe, with banks like Santander, RBS, Natwest, and Citibank, as well as non-banking apps such as Amazon, eBay, and PayPal in their list of targets.

Besides its interest in collecting banking credentials, this malware strain can also have additional functionality, ranging from ransomware capabilities to RAT features (e.g., sound recording, location tracking) to SMS spam sending and calling premium numbers as discovered by Sophos last year.

According to Sophos, "the built-in ransomware component encrypts user files and gives them .Anubiscrypt file extension. Remember, this runs on a phone, which is even less likely to be backed up than a laptop or desktop, and more likely to have personal photos or other valuable data."

Previously, security researchers from IBM X-Force linked the malicious downloaders used to distribute the Anubis Trojan with apps used as droppers for the Exobot malware discovered by Threatfabric while analyzing an Exobot campaign.

The fact that multiple malware campaigns distributing apps infected with Anubis downloaders have been previously removed from the Google Play store is proof of the skill of the actors behind them to successfully hide their malware from Google Play’s defenses.