Google on paper claims to take serious measures to protect their user’s data however there seem to be major flaws within their system. Researchers claim that they have discovered a number of applications that had been downloaded more than 300,000 times from Google Play before being identified to be banking trojans that stole user passwords and two-factor authentication tokens, tracked keystrokes, and took screenshots.
Apps Stealing User Data
Four different Android malware families disseminated the apps posing as QR scanners, PDF scanners, and bitcoin wallets over a four-month period. They employed a variety of techniques to get over Google’s prohibitions on the perpetual distribution of counterfeit apps on its official store. Limiting the use of accessibility services for visually impaired users to prevent the automatic installation of apps without user agreement is one of these constraints.
The fact that dropper apps all have a very minimal malicious footprint makes these Google Play distribution efforts very difficult to identify from automation (sandbox) and machine learning standpoint,” experts from mobile security firm ThreatFabric noted in a blog post. “The permission constraints implemented by Google Play are a (direct) result of the minimal footprint.
Instead, the efforts usually started with a harmless app. Users got alerts after installing the program, instructing them to download upgrades that included new features. Although the apps frequently required updates from third-party sources, many users had come to trust them by that time. Most of the programs were initially undetectable by malware checkers on VirusTotal.
Other strategies were also used to keep the apps beneath the radar. In many situations, malware operators manually install malicious updates after verifying the compromised phone’s geographic location or progressively updated phones.
Anatsa is the malware family that has been responsible for most infections. This “sophisticated Android banking trojan” has a number of features, including remote access, SMS sharing, and automatic transfer systems that automatically empty victims’ accounts and send the contents to malware controllers’ accounts.
Alien, Hydra, and Ermac were three other malware families discovered by the researchers. Gym drop was one of the droppers used to download and install malicious payloads. To prevent researcher devices from being targeted, it implemented filter rules based on the model of the infected device.
Malicious apps have plagued Google Play on a daily basis for the past decade. Google is quick to delete fake apps once it is told, as it was this time, but the company has been unable to locate thousands of apps that have infiltrated the bazaar and infected thousands, if not millions, of users.
These scams aren’t always easy to recognize. Reading user comments can be helpful, but it isn’t always the case because scammers frequently include phony reviews in their submissions. Avoiding obscure apps with limited user populations can also help, although in this case, that strategy would have been fruitless. Before downloading apps or app updates from third-party stores, users should consider twice. The best way to avoid fraudulent Android apps is to install them only when absolutely necessary. Uninstalling an app if you haven’t used it in a while is also a smart idea.