Hundreds of thousands of Android users affected by banking trojans

News / Hundreds of thousands of Android users affected by banking trojans

Hundreds of thousands of Android users affected by banking trojans

Over 300,000 Android users have inadvertently downloaded banking trojans which have managed to bypass Google Play Store’s cybersecurity threat detection disguised as general apps.  

Cybersecurity researchers from ThreatFabric have reported that the four different forms of malware detected were installed through common downloads including document scanners, QR code readers, fitness monitors and cryptocurrency apps.   

Out of the four malwares, the most commonly downloaded was Anasta, a banking trojan capable of stealing log in credentials, implement accessibility logging to monitor the victim’s screen and use keylogging to capture information inputs. Anasta alone was downloaded by over 200,000 Android users.   

Actors behind it took care in making their apps look legitimate and useful” shared analysts. Also disclosed, “There are large numbers of positive reviews for the apps. The number of installations and presence of reviews may convince Android users to install the app. Moreover, these apps indeed possess the claimed functionality, after installation they do operate normally and further convince victims in their legitimacy”.  

Furthermore, the malware becomes active only upon installation, enabling them to remain undetected by Play Store. 

The malware has been active since January however, it has become increasingly deployed since June. Discovered by researchers, six different apps were used to deliver the malware including apps disguised as QR code scanners, PDF scanners and cryptocurrency apps. Users first received phishing emails or malicious advertisements which upon clicking, redirected them to the faulty apps.  

One of these malicious apps, a QR scanner, has been downloaded by 50,000 Android users further tricked into believing the legitimacy of the app by reading the large number of positive reviews left on the download page. 

Upon complete installation, users were required to update the app to enable continued usage. It is this update however, that connects the victim’s device to a command-and-control server which downloads the Anasta trojan onto the device. 

The second trojan dubbed “Alien” is capable of stealing two factor authentication details and has been active for over a year. Installations of the malware total up to 95,000 and have been carried out from the Play store. One of these apps is a fitness training app which comes with a website designed to trick the user into believing its legitimacy. The website however, functions as a command-and-control server similar to Anasta.  

The remaining two malwares referred to as Hydra and Ermac have been deployed using similar methods and have received a combined total of 15,000 downloads.

How secure is

your business?

Security test
How secure is

your business?

Security test