Despite Google's defenses for protecting Android's official marketplace, cybercriminals still manage to sneak in a banking Trojan, or two, or three, security researchers have discovered.
Recently, security researchers from different security companies based in Europe disclosed on Twitter that they found several banking Trojans in Google Play.
Lukas Stefanko of ESET antivirus vendor found three such malicious apps posing as astrology software that offered the horoscope. What they really divined, though, was theft of SMS and call logs, sending text messages in the victim’s name, downloading and installing apps without user approval, and stealing banking credentials.
Stay away from these apps!— Lukas Stefanko (@LukasStefanko) September 3, 2018
Found Three banking Trojans on Google Play with more than 1500+ installs.
They are remotely controlled bots with injection capabilities.
-steal SMS, callLogs
-download and install apps
-steal banking credentials pic.twitter.com/K1MAlyoyyp
Before tweeting his findings, Stefanko reported the offensive entries to Google, who booted them from the store; but by the time of the removal, one of them had been downloaded more than 1,000 times, and over 500 users had added the other two to their Android devices.
One of the malicious apps, which Stefanko noticed in its code that had been named Herobot, displayed a fake warning saying that it was incompatible and has been removed as a result.
The malware remained on the device and acted in the background, requesting banking targets based on the apps present on the device. The malware researcher said that the command and control (C2) server was still alive when he tweeted about it.
An important aspect is that all three Trojans discovered by Stefanko enjoyed a low detection rate. At the time of writing, the malware piece with the highest detection rate on VirusTotal was recognized by 12 out of 60 antivirus products; for the least detected one, only six saw its true colors.
Stefanko is not alone in reporting banking Trojans in the official Android marketplace in the past few days. On August 29, Nikolaos Chrysaidos of Avast shared on Twitter details about a campaign that had distributed the same type of malware since the early days of the month.
He uncovered more than five banking Trojans, all disguised as apps that improved the performance of the mobile device.
Gotcha! More #Android #Banker malware (5+) slipped in @GooglePlay Store. This campaign started first days of August.— Nikolaos Chrysaidos (@virqdroid) August 29, 2018
- "Stamped" with Google's new frosting security metadata
- Found with @apklabio pic.twitter.com/j2GviNA0dW
Banking Trojans may be among the malware type that prompt urgent action from the Android store curator, but they are definitely not the only threat in Google Play.
Stefanko provided examples of other apps that blatantly impact users' privacy, adware, spyware, and trackware, some with tens of millions of installations to date.
The researcher pointed to one called Protect Your Data, an app offering VPN services, with over 10 million installations. According to Stefanko, instead of hiding traffic, the app collected it, as described in its description.
Android Legitimate Spyware with 10M+ installs.— Lukas Stefanko (@LukasStefanko) August 31, 2018
App #Onavo owned by Facebook, is VPN service that collects your:
- mobile traffic
- installed/opened apps
- visited websites
This app should hide your traffic & increase privacy, instead it collects it. pic.twitter.com/gvhYDhphk2
In another case, an app promised to increase the random access memory (RAM) on your device to an incredible 128GB. If data from the store is correct, more than 100,000 people fell for the scam.
If 128GB is not enough, you can go even higher. How about 8,000GB? The description betrays the ill intent of the developer, but 50,000 users seem to have been duped.
The purpose of these apps may not necessarily cause harm to the user, as some of them simply clean the cache data accumulated on the device and kill background apps, but they clearly do not "provide an experience consistent with user expectations," as required by Google's Spam and Minimum Functionality policy.
Another example from Stefanko is the "Transparent clock and weather" app, which leaks user location in cleartext, every 15 seconds.
Although analysis suggests that the longitude and latitude information is not actively collected by the developer of the app, an attacker accessing the data can learn the user's every move.
The two researchers are joined in their endeavor to show Google what needs to be removed from the store by researchers from Russian security company Dr. Web. They recently shared the discovery of 127 offensive apps, totaling over 10,000 downloads; all of them have been ousted from the store.
BleepingComputer reached out to Google for a statement about the banking Trojans discoveries in its Android store but did reply at the moment of publishing.