A Malware That Might Look Like A Google Play Application
Security researchers recently discovered a group of cybercriminals successfully spreading Trojan banking malware through the use of bogus Google Play applications. First detected in June by professionals at IBM X-Force, the “Anubis” malware has been hidden in seemingly-secure apps offering online shopping services, livestock market monitoring, and more.
The X-Force research team has come out with a detailed blog post detailing the malware campaign. It explains, “IBM X-Force mobile malware researchers have observed several developers actively uploading Android malware downloaders to the Google Play Store. Starting in June, our team discovered a number of new malware downloader samples that infect users with BankBot Anubis (aka Go_P00t). The campaign features at least 10 malicious downloaders disguised as various applications, all of which fetch mobile banking Trojans that run on Android-based devices.”
Using the same method as other Android malware that hijacks the Google Play Store, the Anubis payload remains hidden during delivery and i
Just as it happens with the other Android malware that are seen to spread via Google Play Store, the Anubis payload too remains hidden and is delivered only after the fake app is installed and in contact with a C&C server. It’s also reported that the malicious downloader is so stealthy in nature that it doesn’t even get detected by an antivirus program.
The hackers regularly alter the capabilities of the malware; they keep on altering the code slightly so as to ensure that it doesn’t get detected by the security controls of the Google Play Store. There would also be regular updates, which itself shows that it’s a really resourced group of cyber criminals who are behind the campaign.
The Anubis malware cheats users by masquerading as an app called “Google Protect”, post installation. The IBM X-Force SecurityIntelligence blog post explains- “After a successful installation of the malicious downloader, the app fetches BankBot Anubis from one of its C&C servers. The BankBot Anubis malware then masquerades as an app called “Google Protect” and prompts the user to grant it accessibility rights.”
Anubis asks for accessibility as it would want to perform keylogging, which in turn helps the hackers steal users’ data. The SecurityIntelligence blog says- “Why ask for accessibility? BankBot Anubis uses Android’s Accessibility services to perform keylogging as a way to obtain the infected user’s credentials when he or she accesses a targeted mobile banking app. In most Android banking Trojans, the malware launches a fake overlay screen when the user accesses a target app. The user then taps his or her account credentials into the fake overlay, which allows the malware to steal the data. BankBot Anubis streamlines this process.”
The malware could also help hackers steal credentials from other apps or take screen captures of the user’s screen. The malware campaign that the IBM X-Force examined seemed to be targeting Turkish users specifically, but with different configurations and botnets, Anubis could target many other countries including Australia, the U.S, the U.K, Israel, Japan, Canada, India, Hong Kong, Russia etc.
The researchers have inferred that it’s not a small campaign. The IBM X-Force blog post says-“While there were 10 downloader apps in the Google Play Store at the time of this writing, the campaign is rather hefty. X-Force estimated the magnitude of campaigns on Google Play by the number of downloads, as well as the number and variety of payloads found. In one case, the researchers fetched more than 1,000 new samples of BankBot Anubis from just one C&C server. Each sample has a different MD5 signature, few of which were documented by any antivirus engine when tested against VirusTotal.”
Cybercrime groups now seem to target official app stores because once they get a malicious app into an official store, it assures more exposure to potential victims. Moreover, it’s very cheap as a distribution channel for malware and also helps ensure users’ trust. Moreover, such malicious apps that sneak into official app stores can continue evading security controls for a much longer time compared to the other malicious apps. Similarly, with such mobile Trojans, cybercriminals are now venturing more into the realm of mobile malware campaigns and this is something that users and organizations all across the world need to be aware of.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.