As reported to Ars Technica, a group of researchers from ThreatFabric discovered the string of applications that steal bank account credentials and funds from said accounts.
“What makes these Google Play distribution campaigns very difficult to detect from an automation (sandbox) and machine learning perspective is that dropper apps all have a very small malicious footprint,” researchers from mobile security company ThreatFabric wrote in a blog post. “This small footprint is a (direct) consequence of the permission restrictions enforced by Google Play.”
That means the apps start as something non-malicious. For example, they could be QR scanners, PDF scanners, or cryptocurrency wallets. Once installed, the apps will request that users download updates through third-party sources, which means you’re sideloading the updates onto your device, thus going around Google Play’s protections.
Working this way also means the apps aren’t detected by virus scanners when installed since they are entirely harmless when first downloaded from Google Play. It’s not until they’ve earned the user’s trust and they can convince them to download the third-party updates do they do their work.
“This incredible attention dedicated to evading unwanted attention renders automated malware detection less reliable,” the ThreatFabric post said. “This consideration is confirmed by the very low overall VirusTotal score of the 9 number of droppers we have investigated in this blog post.”
The specific malware family is called Anatsa, and it’s a Trojan targeting banks on Android. It has remote access and automatic fund transfer systems that can drain a user’s bank account once they have access. It comes with the ability to steal passwords and two-factor authentication codes. It can also log keystrokes and take screenshots.
So what can you do to avoid apps that slip through Google’s defenses? Don’t sideload updates for an app downloaded on Google Play. If the app needs a regular update, there should be no reason for the update to be sideloaded, as Google Play has its own update process for apps. The only reason a developer would need to have you sideload an update is if it’s trying to get around Google’s protections for some reason.
Additionally, try to download apps from reputable companies if possible. You can also keep yourself safe by deleting apps you’re not using anymore.