A recent report by cybersecurity company ThreatFabric reveals that 300,000 Android users have installed Trojan processors that steal their banking information. Even if the apps were removed and disabled by Google, the developers used unique methods to use the malware that all Android users should be aware of.
Hackers used multiple types of malware
ThreatFabric’s report only mentions some malicious applications, but they include QR scanners, PDF scanners, fitness trackers and crypto applications. Unlike other fake apps that falsely advertise their features, many of the apps in this package’s malicious Android software worked as planned. But behind the scenes, apps steal passwords and other user data.
Researchers have broken down the app into four separate “families” based on the specific malware used:
Anatsa: The largest of the four malware families, with over 200,000 integrated downloads, used a bank Trojan called Anatsa. The Trojan uses Android’s screen capture accessibility features to steal login information and other personal data.
Alien: The second most downloaded Alien Trojan installed on over 95,000 devices. By hacking Alien two-factor authentication (2FA) codes, hackers can use it to log into a user’s bank account.
Hydra and Ermak: The last two families used Hydra and Ermak malware, both affiliated with the Brownhilda Cybercriminal Outfit Group. The group used the malware to remotely access the user’s device and steal bank information. ThreatFabric reports that applications using Hyrda and Ermac together have made 15,000+ downloads.
How these malware families skirt Google’s security measures
ThreatFabric applications have been reported to Google, which has since been removed from the Play Store and disabled on any devices where they are installed. But the real problem is how hackers were able to infiltrate the processors in the first place.
In general, the Play Store will catch and remove applications that contain suspicious code. However, in these cases, the malware was not sent in the initial download, but instead was included in the update, requiring users to install the applications to continue running. Using this method, developers can submit their apps without blocking Google’s detection. Because the apps work as planned, users are less likely to notice anything wrong. However, there were some indications that the updates in question were problematic, as they may have forced users to sideline accessibility services offers or additional software.
How to keep your Android device safe from malware
There are some things you can do to keep your devices and data safe from malware applications like these. First, always pay attention to the permissions the apps ask for — not just when you first install it, but when you run it or upgrade. If anything seems suspicious or unnecessary, remove the application and report it. The QR code scanner does not require access to your accessibility services, for example.
Similarly, only install updates directly from the Google Play Store. Even if an app says it needs a sudden update, if you do not find the one listed in the Play Store app, it will not be a valid link. The same goes for random requests to sideline additional applications: it is safe to sideline apps only when you download the APK file yourself from trusted, verified sources such as APK Mirror or XDA Dev forums. Since hackers can fake the legitimacy of the app with false reviews, be sure to check it thoroughly before downloading, even if it is on Google Play.
While these strategies are not guaranteed to prevent all malware attacks, you will be much better off if you combine them with other cyber security practices such as encrypted password manager, 2FA logins and the use of unique passwords protected by trusted anti-malware and antivirus applications. Protected from bad actors and bad uses in the future.