Google is trying its best to “make Chrome secure again,” but when it comes to Play Store and protecting Android devices, the tech giant is failing miserably. Although there are a couple of Android bug bounty programmes offering a lucrative amount of money, the marketplace just can’t get rid of malware, in fact, the old ones keep coming back.
BankBot (BankingBot) Malware
IT security researchers at RiskIQ have discovered a dangerous and widespread malware often used by cybercriminals to steal banking information from Android users. Dubbed BankBot (also known as BankingBot), this is the fourth time that researchers have discovered this malware targeting users. Meaning, Google just can’t get rid of BankBot.
[q]Crypto Currencies Market Prices app belongs to BankBot malware family[/q]
This time, researchers discovered BankBot in an app called “Cryptocurrencies Market Prices” claiming to provide up to date price for cryptocurrencies. But the real price was paid by those who downloaded the app from app store and got their banking data stolen. Researchers also noted that despite being malicious, it still got a shiny “verified by Play Protect” tag on it. Google Play Protect is supposed to check apps and device for harmful behavior. However, in BankBot’s case, it acted otherwise.
Malware infected app verified by Play Protect | Image: RiskIQ
“The app itself is a bundled application as described in the ‘Detection’ section of this document. It is a combination of a legitimate functionality—comparing actual cryptocurrency market prices with global Fiat money—and a Bankbot instance,” researchers noted.
What BankBot Does and Steal
As obvious by its name, the BankBot is developed to steal banking data from an Android device such as credit card number and other payment-related information. Once installed, it also conducts phishing attacks to show fake version of banking apps and gain administrative privileges before removing the icon of the app, tricking the user into believing that the app has been deleted.
In reality, however, the app continues to work in the background. Furthermore, the malware spies on SMS sent by the user, collects sensitive information such as credit card numbers, CVC number, its expiration date and user’s home address. It is also able to collect device specs such as a list of installed apps, OS version, IMEI, and phone model and send it to the hacker.
That’s not all; the malware is designed to display fake screens disguised as banking apps. As soon as the app gets what it wants, the credentials are then passed on to the hacker through a control and command (C&C) server. It also tracks available text fields, such as menu elements, and logs keystrokes and other components of the user interface.
So What’s Next?
After RiskIQ’s findings were sent to Google it removed the app from PlayStore but the question remains why Google didn’t find the app before researchers and how did it get the “Verified” tag while it was a malware-infected app.
History of BankBot
Discovered back in 2008, the BankBot banking malware was caught infecting Android devices through malicious apps on PlayStore in 2014. It aimed at stealing credit card and personal data of unsuspecting users. Once exposed, the infected apps were booted off by Google from its marketplace.
In April this year, BankBot infected 400 apps on Google Play Store. One of the infected apps was Funny Videos 2017 that was downloaded 5,000 times by unsuspecting users. Upon reporting, Google deleted all the infected apps.
In July 2017, BankBot malware was again caught on Play Store disguising as fake Adobe Flash Player app aiming at stealing banking information of Android users. The app was removed once security researchers informed Google.
Stay Safe Online
Android is one of the most vulnerable smartphone operating systems, and that’s not surprising since the case mentioned above explains it all. HackRead advises Android users to avoid downloading unnecessary apps from third-party and Play Store, keep an eye on their banking transactions and use a reliable mobile security product.
[fullsquaread][/fullsquaread]
