FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangs
EwDoor botnet targets AT&T network edge devices at US firms
Android banking malware infects 300,000 Google Play users
Finland warns of Flubot malware heavily targeting Android users
Microsoft Exchange servers hacked to deploy BlackByte ransomware
Get this pocket-sized 4K projector for $200 in extended Cyber Monday
Europol: 18k money mules caught laundering money from online fraud
VirusTotal Collections feature helps keep neat IoC lists
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Malware campaigns distributing Android trojans that steals online bank credentials have infected almost 300,000 devices through malicious apps pushed via Google’s Play Store.
The Android banking trojans delivered onto compromised devices attempt to steal users’ credentials when they log in to an online banking or cryptocurrency apps. Credential theft is commonly done using fake bank login form overlays displayed on top of the legitimate apps’ login screens.
The stolen credentials are then sent back to the attacker’s servers, where they are collected to be sold to other threat actors or used to steal cryptocurrency and money from victims’ accounts.
In a new report by ThreatFabric, researchers explain how they discovered four different malware dropper campaigns distributing banking trojans on the Google Play Store.
While threat actors infiltrating the Google Play Store with Android banking trojans are nothing new, recent changes to Google’s policies and increased policing have forced threat actors to evolve their tactics to evade detection.
This evolution includes creating small realistic-looking apps that focus on common themes such as fitness, cryptocurrency, QR codes, and PDF scanning to trick users into installing the app. Then, to add further legitimacy to the apps, the threat actors create websites that fit the theme of the app to help pass reviews by Google.
Furthermore, ThreatFabric has seen these apps only being distributed to specific regions or at later dates to further evade detection by Google and antivirus vendors.
“This policing by Google has forced actors to find ways to significantly reduce the footprint of dropper apps. Besides improved malware code efforts, Google Play distribution campaigns are also more refined than previous campaigns,” ThreatFabric researchers explain in their new report.
“For example, by introducing carefully planned small malicious code updates over a longer period in Google Play, as well as sporting a dropper C2 backend to fully match the theme of the dropper app (for example a working Fitness website for a workout focused app).”
However, once these “dropper” apps are installed, they will silently communicate with the threat actor’s server to receive commands. When ready to distribute the banking trojan, the threat actor’s server will tell the installed app to perform a fake “update” that “drops” and launches the malware on the Android device.
Since July 2021, ThreatFabric has these fake apps dropping four different banking trojans named ‘Alien’, ‘Hydra’, ‘Ermac’, and and ‘Anatsa’ through sixteen different apps.
The “dropper” apps known to be used during these malware distribution campaigns are:
Other malicious apps seen installed by the above droppers and their associated banking trojans are:
During these four months of malicious activity, ThreatFrabric found that the droppers were installed 300,000 times, with some individual droppers installed over 50,000 times.
The number of banks, money transfer apps, cryptocurrency exchanges, cryptocurrency wallets, and mail services is impressive, with approximately 537 online sites and mobile apps targeted for credential theft.
The targeted organizations include Gmail, Chase, Citibank, HSBC, Coinbase, Kraken, Binance, KuCoin, CashApp, Zelle, TrustWallet, MetaMask, and more.
Google has since removed all of these malicious apps from the Play Store and you should also immediately remove them from your Android device if you have any of them installed.
If you have installed any of the above apps, you should immediately remove them from your Android device.
Furthermore, due to the evolving techniques used by Android malware developers, users must pay more attention to the permissions requested by apps and block the install if they seem overly broad.
Flubot Android malware now spreads via fake security updates
Android malware BrazKing returns as a stealthier banking trojan
New Android malware targets Netflix, Instagram, and Twitter users
Over nine million Android devices infected by info-stealing trojan
Fake end-to-end encrypted chat app distributes Android spyware
Anyone have a link to one of the “dropper” .apk’s on Virus Total?
This looks like one:
QR Scanner 2021
Not a member yet? Register Now
Microsoft Defender scares admins with Emotet false positives
DNA testing firm discloses data breach affecting 2.1 million people
To receive periodic updates and news from BleepingComputer, please use the form below.
Malwarebytes for Mac
Farbar Recovery Scan Tool
Windows Repair (All In One)
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.