Four different banking Trojans spread on the Play Store between August and September 2021 to take a harvest of 300,000. infections – reports ThreatFabric. Researchers emphasize that despite the efforts of Google, pests are still raging and criminals use more and more sophisticated methods.
Anatsa (aka TeaBot), Alien, ERMAC, and Hydra – what do they have in common? They are all banking Trojans that the ThreatFabric researchers count among the ranks next-generation malware. A little over a quarter was enough to infect up to 300,000. devices enumerated. Usually without the owner knowing.
While traditional malware works in a zero-one sense, either because it is and is still a threat, or it is not, the next-generation malicious code turns out to be more sublime. It wakes up under certain conditions, such as only in a specific location, and then delays the final attack. So that the aggrieved party cannot associate it with a specific application or event.
New generation, i.e. surgically precise
History is shown as an example ERMAC and Hydra; Trojans not initially used against US residents, and later precisely introduced into that market via a QR code scanning application. Having detected a non-US location, the scanner acted like an honest tool, not sucking up any garbage.
Another pattern is a series of exploitation attacks the TeaBot Trojan. The applications distributing it did not have a single line of malicious code in them, so they took a walk through the Google Play Protect algorithms and the rest of the entanglements. Payload was only downloaded by the update system. Or a website that mimics a remote control panel.
Yet another tactic was chosen by the authors Alien Trojan. They added their pest to the fitness application, but again not directly, but in a package with additional sets of exercises. If the user did not choose to download them, it would remain safe. But who would refuse the gratuity, wouldn’t it?
12 malicious apps on the Play Store
In order not to be groundless, the ThreatFabric team has prepared a list 12 applications found on the Play Store that used the techniques described. Recall that they successfully infected over 300,000. devices. It is not known how many of them remained asleep, but it is undoubtedly better not to tempt fate. And here they are:
- Two Factor Authenticator (com.flowdivison)
- Protection Guard (com.protectionguard.app)
- QR CreatorScanner (com.ready.qrscanner.mix)
- Master Scanner Live (com.multifuction.combine.qr)
- QR Scanner 2021 (com.qr.code.generate)
- QR Scanner (com.qr.barqr.scangen)
- PDF Document (com.xaviermuches.docscannerpro2)
- Scanner – Scan to PDF
- PDF Document Scanner (com.docscanverifier.mobile)
- PDF Document Scanner Free (com.doscanner.mobile)
- CryptoTracker (cryptolistapp.app.com.cryptotracker)
- Gym and Fitness Trainer (com.gym.trainer.jeux)
Photo source: Unsplash (Łukasz Radziejewski)
Text Source: ThreatFabric, ed. own