Over 300,000 Android users downloaded banking trojan malware

Hackers defeated Google Play restrictions by using smaller droppers in apps and eliminating permissions needed

Hackers have managed to bypass Google Play app restrictions to chalk up over 300,000 banking trojan infections in just four months.

According to a blog post by security researchers at Threat Fabric, hackers have avoided being detected by Google Play by using smaller droppers in apps, reducing the number of permissions being asked of users and improving code as well as creating more convincing fake websites.

This has also made them difficult to detect from an automation (sandbox) and machine learning perspective, according to Threat Fabric.

“This small footprint is a (direct) consequence of the permission restrictions enforced by Google Play,” they said.

Hackers have also started carefully planned small malicious code updates over a longer period in Google Play, as well as sporting a dropper C2 backend to fully match the theme of the dropper app. The researchers cited an example here of a working fitness website for a workout-focused app.

“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization,” they said.

The 300,000 dropper installations came from just four types of malware. Anatsa (200,000+ installations); Alien (95,000+ installations) and Hydra/Ermac (15,000+ installations).

Related Resource

The state of brand protection 2021

A new front opens up in the war for brand safety

A log-in screen with a red background - whitepaper from MimecastFree download

The largest, Anatsa, is an advanced Android banking trojan with RAT and semi-ATS capabilities. It carries out classic overlay attacks to steal credentials, accessibility logging (capturing everything shown on the user’s screen), and keylogging.

Researchers discovered the first dropper in June 2021 masquerading as an app for scanning documents. In total, researchers found six Anatsa droppers published in Google Play since June 2021.

A hacking group called Brunhilda dropped malware from established families, like Hydra, as well as novel ones, like Ermac. This posed as a QR code creator app. Both families have been very active in the last months according to researchers and have recently started appearing in the US.

The Alien campaign was also run by the Brunhilda group. This used a fake fitness app to spread.

“This dropper, that we dubbed “Gymdrop”, is another example of how cybercriminals try to convince victims and detection systems that their app is legitimate. The app website is designed to look legitimate at first glance. However, it is only a template for a gym website with no useful information on it, even still containing ‘Lorem Ipsum’ placeholder text in its pages,” said researchers.

Researchers said the attention dedicated by these hackers to evading unwanted attention renders automated malware detection less reliable.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now


Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022