According to a new report published by Threat Fabric, several malware distribution campaigns have infected almost 300,000 Android users. Infections were carried out by users downloading malicious apps from the Google Play Store containing malware droppers which would then drop banking trojans specifically designed for harvesting and stealing banking credentials.
The theft of credentials is primarily done via a fake banking login page that overlays a legitimate one. Threat actors then exfiltrate the credentials and either sell them on underground marketplaces or use the credentials to commit various kinds of banking fraud. While this phenomenon is certainly not new the tactics used, namely the evolution of past tactics is what has piqued the researcher’s interest in the campaigns.
According to the report, researchers discovered four separate malware distribution campaigns on the Google Play Store. Researchers believe that recent policy changes to how the app store seeks to protect users have forced threat actors to evolve their tactics in order to avoid detection. In the campaigns observed threat actors create small and realistic-looking apps along set themes.
Those themes include fitness, cryptocurrency, QR codes, and PDF scanning which are all popular app categories on the app store. To further help trick potential users to download the app, the apps have a professional-looking website for the purposes of marketing or at least would be traditionally used for marketing. Rather this is done to add a veneer of legitimacy with the intention of tricking a user to download the app.
Over the years this has proven to be an incredibly successful method of tricking users but it is not the part that has seen the most drastic evolution with regards to this campaign. Researchers discovered that certain apps are only being distributed in specific regions to avoid falling foul of Google’s policy changes and help evade detection. Researchers noted,
“This policing by Google has forced actors to find ways to significantly reduce the footprint of dropper apps. Besides improved malware code efforts, Google Play distribution campaigns are also more refined than previous campaigns. For example, by introducing carefully planned small malicious code updates over a longer period in Google Play as well as sporting a dropper C2 backend to fully match the theme of the dropper app (for example a working Fitness website for a workout focused app).”
“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization.”
Detection is further made difficult in that malware droppers leave a relatively small footprint on the app as they don’t need to contain the main malware payload. Once the app is downloaded and the device is compromised, the dropper module can then send a request to a server under the attacker’s control to download the main payload, namely a banking trojan in this case.
As the user would have typically agreed to the app’s permissions the sending and receiving of data is not prohibited. This will further assist the threat actor in exfiltrating banking credentials when the time comes.
As mentioned previously the four separate campaigns are being used to drop various banking trojans. The trojan which has been distributed the most, with over 200,000 infections is Anatsa. The malware was discovered by Threat FAbric in January 2021, and has been described by researchers as,
“Anatsa is a rather advanced Android banking trojan with RAT and semi-ATS capabilities. It can also perform classic overlay attacks in order to steal credentials, accessibility logging (capturing everything shown on the user’s screen), and keylogging. Previously ThreatFabric reported cases when Anatsa was distributed side-by-side with Cabassous in smishing campaigns all over Europe. Our latest findings show that Anatsa now utilizes Google Play dropper apps.”
Anatsa was primarily spread through a fake QR code scanner. Once downloaded the app notify the user, that it would need to be updated. If the user selects the update option in the app rather than performing the update, the dropper in the app will download Anatsa then install it to begin harvesting credentials.
The next two banking trojans were seen being distributed in the same campaign. Those two being Hydra and Ermac which were both dropped by a dropper named Brunhilda. In order to download either of the two malware strains the dropper sends a registration request to the command and control server controlled by the threat actor.
The dropper performs a second operation by sending more detailed information about the device to the server. Once that is completed the server will send the malware to be installed.
In a separate campaign, which used a fake fitness app to try trick users, Brunhilda was again used as the dropper for Alien, also tracked as AlienBot. Like with the campaign spreading Anatsa, the user had to agree to an update after allowing the app permission to send and receive data, as well as allow access to media on the device. In concluding the researchers summarized why using this evolution in tactics was son successful, stating,
“The small malicious footprint is a result of the new Google Play restrictions (current and planned) to put limitations on the use of privacy concerning app permissions. Permissions such as Accessibility Service, which in previous campaigns was one of the core tactics abused to automate the installation process of Android banking trojans via dropper apps in Google Play...By limiting the use of these permissions, actors were forced to choose the more conventional way of installing apps, which is by asking the installation permission, with the side-effect of blending in more with legitimate apps. This is one of the core reasons of the significant success of mobile banking threat actors in sneaking into Google’s trusted app store.”
FluBot Strikes Finland
In an article published by Bleeping Computer, it was reported that Finland's National Cyber Security Centre (NCSC-FI) has issued a "severe alert" to warn of a massive campaign distributing another infamous Android banking trojan FluBot. Fins are receiving SMSes which then redirect recipients to malicious websites pushing APK installers to download and install the malware. The NCSC-FI stated,
“According to our current estimate, approximately 70,000 messages have been sent in the last 24 hours. If the current campaign is as aggressive as the one in the summer [Finland experienced a similar FluBot distribution campaign this year, however, users were infected when opening a voicemail], we expect the number of messages to increase to hundreds of thousands in the coming days. There are already dozens of confirmed cases where devices have been infected,”
While it is clear that Android malware developers are focussing in on specific regions to bypass policy and security changes in apps, malware developers can still target a country without the need of the app store.
It is advised that users be very careful in clicking through to links received via an SMS, especially from unknown numbers or services not used by trusted companies. Even then a zero-trust policy for all incoming messages should be adopted.