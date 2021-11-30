We have seen in the past how malware manages to infiltrate Google Play to a lesser or greater extent, both with Joker and other apps designed to steal bank credentials. Threat Fabric security researchers have revealed the techniques used by malware-laden applications to infiltrate Google Play.

With some 300,000 downloads combined, analysts have found a malware campaign by three different families, aimed at stealing the credentials of specific banks, including several Spanish banks. The main method is one that we were able to test ourselves recently: download an update after installing the app, where the malicious code is located.

All good on the surface

Google’s attempts to curb malware are focused on two fronts: automated application scanning and limiting some problematic permissions, such as accessibility. Cybercriminals have found an ideal way to overcome both: upload harmless-looking apps to Google Play.

The deception is such that the apps are more than just a facade. They are functional apps and include information, screenshots and reviews that make you believe that it is a legit application. While many of these reviews are possibly fake, the malware update does not download automatically, so some may be real. After all, apps deliver what they promise. In some cases, they even have a web page with information, to give it more veracity.

An exercise app with malware even had a fake website

At this point, the application is “clean” and a VirusTotal scan of your APK would not detect anything unusual about it. Neither the analyzes carried out by Google during the review period or by Play Protect after installation on the device would be able to find anything suspicious.

The apps are functional and clean in principle, but later they ask to download and install an update that contains the malicious code Read: Android 12 makes it easy to save and share photos, even in apps that are not left

Malware will arrive later and selectively, and its creators may deploy malicious update to certain users and / or in certain regions. The installation requires the user to grant the application permission to install applications from an APK file, which is indicated as necessary with different excuses. For example, an exercise application indicates that it is necessary to download new routines.

Do you want a new exercise routine? Then install this update

Variations of this technique have been detected by security analysts in dozens of applications with three families of malware: Anatsa, Alien and Hydra / Ermac. The objective of all of them was the same: try to steal bank credentials. Not raw, but specific banking applications, including several Spanish entities. In the appendix of the report you can find the list of banking applications whose credentials were being stolen: there are several Spanish bank apps.

The malware is designed to steal the credentials of specific banking applications, including those of several Spanish banks

This update does already have the spy tools, led by the abuse of accessibility permissions, which will ask incessantly after installing. Google controls the applications that abuse these permissions on Google Play, but what is installed from outside the store has no control.

According to the researchers’ estimates, the applications were downloaded around 300,000 downloads, although with such difficult detection, it is foreseeable that there will be more and more infiltrations in Google Play. The best way to stay safe is never accept suspicious downloads and updates that require permission to install apps.

Via | Ars Technica