Google has left no stone unturned in preventing malware and banking trojan from invading the applications uploaded on its official Play Store. Despite having anti-malware protection, shady applications somehow make it to the platform. In fact, malware developers have become so advanced in their skills and tactics that they are now using motion detection technology to activate the malware on their apps.
According to reports, there are some apps on Google Play Store that are infected with malware which gets deployed only when it detects motion from the Android smartphone. Researchers believe that this happens because a majority of the developers use Android emulators to test their malware instead of actual smartphones.
Two such applications were identified on the Play Store and as per the analysis of Trend Micro’s malware research team, the apps have so far infected thousands of unsuspecting Android users who downloaded them. It is worth noting that the apps contain banking malware.
Trend Micro researchers explained about the malicious apps in their blog post published Thursday where they noted that:
“As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data. If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.”
One of the two applications is Currency Converter, which is basically a currency exchange app, and the second one is BatterySaverMobi, a battery saver app having 5000 downloads. Both these apps contain a dangerous banking Trojan dubbed as Anubis and utilize motion-sensor inputs from the mobile devices to install the malware.
These apps have fake 5-star reviews and through their advanced maneuvering functions, these apps are able to evade detection when researchers run emulators to identify the presence of malware.
When the malware detects the sensor data the malicious code is executed automatically and the victim is tricked into downloading and installing Anubis payload APK disguised as a system update claiming to offer a “Stable Version of Android.” When the victim accepts to install the fake update, the malware dropper requests to access legit services like Telegram and Twitter to create a link with its C&C server and downloads the Anubis banking Trojan on the device.
“It registers with the C&C server and checks for commands with an HTTP POST request. If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background,” researchers noted.
After infecting the device the Trojan accesses the banking accounts credentials of the user using a built-in keylogger or through capturing screenshots when the user enters the credentials into the banking app.
The reason why Android malware is able to evade emulation system detection is that by-default emulators aren’t designed to emulate motion. Trend Micro researchers claim that the malware has been distributed to 93 countries and approx. 377 financial application variants have been targeted to extract banking credentials of affected users.
Moreover, the Trojan can perform a variety of functions from accessing contact lists to sending out the device’s location, delivering spam messages to all the contacts on the mobile, making phone calls, recording audio, and making modifications to external storage. Thankfully, the malicious apps have been removed from Google Play Store.
We suggest sticking to trusted developers and brands and only download an app after going through its review section. Moreover, installing a reliable antivirus would also be helpful in thwarting impending attacks. Here is a list of 10 powerful antiviruses for Android, iPhone, Mac, and PC.