They discovered 29 bank Trojans that purported to be legitimate Android apps

ESET warns about a new hoax that targets Android users in the Google Play store.

ESET, a leader in proactive threat detection, analyzed a set of 29 banking Trojans that were discovered in the official Android store between August and early October 2018. They simulated being plug-ins for the device and cleaners, battery managers and even horoscope apps.

These remotely controlled Trojans are capable of dynamically affecting any application they encounter on the victim’s device using custom phishing forms. In addition, they can intercept and redirect text messages to evade SMS-based dual-factor authentication systems, intercept call logs, and download and install other applications on compromised devices. These malicious applications were mostly uploaded under the name of different developers, but the similarities in the code and the same C&C server suggest that they are the work of a single attacker or group.

“Unlike other malicious applications that focus only on trying to supplant the identity of legitimate financial institutions and display screens with false registration instances, the apps analyzed at this time are banking malware Sophisticated for mobile with complex features and a strong focus on Sigilosidad, “commented Camilo Gutierrez, head of the Research Laboratory of ESET Latin America.

Once executed, the applications can either display an error message stating that they have been removed due to an incompatibility with the victim’s device and then proceed to hide from the user’s view, or the other possibility is to offer the Function They promised as it can be to show the horoscope.

The main malicious function is hidden in an encrypted payload located in the assets of each app. The functionality of the payload is to impersonate bank applications installed on the victim’s device, intercept and send SMS messages, and download and install additional applications chosen by the operator. In a dynamic way malware can impersonate the identity of any application installed on the victim’s device, overlapping the legitimate application with false forms once the legitimate app is executed, giving the victim very few Chances of noticing that there’s something suspicious.

The 29 malicious applications have been removed from the official Android store after ESET researchers notified Google of its malignant nature. Also, before being eliminated from the store, the apps came to be installed by approximately 30,000 users in total.

“Fortunately this particular banking Trojan does not employ advanced tricks to ensure its persistence in the affected devices. Therefore, if you suspect that you have installed any of these apps, you simply need to uninstall them by entering the Settings section > Application management/apps. Also from ESET we recommend checking the bank account against possible suspicious transactions and consider modifying the password of the online banking system or the PIN code. “, Camilo Gutierrez concluded.

To avoid being a victim of this banking malware ESET recommends:

  • Only download apps from Google Play. While this does not ensure that the app is not malicious, this malignant behavior is more common in third-party stores, where they are hardly eliminated as much as they are discovered. The difference with Google Play is that they are quickly removed when they are reported.
  • Be sure to check the number of downloads, valuations and existing comments about the applications before downloading it from Google Play.
  • Pay attention to what permissions are given to apps that are installed.
  • Keep your Android device up to date and use a reliable mobile security solution.