Android banking Trojan infections are on the rise, and Google Play is not immune. According to a study by security firm Kaspersky Lab, Android banking Trojan infections have increased by 50 percent in the past two years. The study also found that many of these infections are disguised as innocuous applications, such as messaging app WhatsApp or social media app Facebook. “The increase in Android banking Trojan infections is likely due to the increasing popularity of mobile banking apps on smartphones,” said Dmitriy Semenov, senior research fellow at Kaspersky Lab. “This makes it more difficult for users to distinguish between legitimate and malicious applications.” Google has responded to the problem by releasing a new update for its Android operating system that includes a feature called “guardian angels.” This feature helps protect users from being infected with malware that could steal their data or access their accounts. However, this update does not address the root cause of many of the Android banking Trojan infections - disguised applications that masquerade as harmless applications.
As reported to Ars Technica, a group of researchers from ThreatFabric discovered the string of applications that steal bank account credentials and funds from said accounts.
“What makes these Google Play distribution campaigns very difficult to detect from an automation (sandbox) and machine learning perspective is that dropper apps all have a very small malicious footprint,” researchers from mobile security company ThreatFabric wrote in a blog post. “This small footprint is a (direct) consequence of the permission restrictions enforced by Google Play.”
That means the apps start as something non-malicious. For example, they could be QR scanners, PDF scanners, or cryptocurrency wallets. Once installed, the apps will request that users download updates through third-party sources, which means you’re sideloading the updates onto your device, thus going around Google Play’s protections.
Working this way also means the apps aren’t detected by virus scanners when installed since they are entirely harmless when first downloaded from Google Play. It’s not until they’ve earned the user’s trust and they can convince them to download the third-party updates do they do their work.
“This incredible attention dedicated to evading unwanted attention renders automated malware detection less reliable,” the ThreatFabric post said. “This consideration is confirmed by the very low overall VirusTotal score of the 9 number of droppers we have investigated in this blog post.”
The specific malware family is called Anatsa, and it’s a Trojan targeting banks on Android. It has remote access and automatic fund transfer systems that can drain a user’s bank account once they have access. It comes with the ability to steal passwords and two-factor authentication codes. It can also log keystrokes and take screenshots.
So what can you do to avoid apps that slip through Google’s defenses? Don’t sideload updates for an app downloaded on Google Play. If the app needs a regular update, there should be no reason for the update to be sideloaded, as Google Play has its own update process for apps. The only reason a developer would need to have you sideload an update is if it’s trying to get around Google’s protections for some reason.
Additionally, try to download apps from reputable companies if possible. You can also keep yourself safe by deleting apps you’re not using anymore.