Android Banking Malware Downloaded 10,000 Times from Google Play: What to Do

Android Banking Malware Downloaded 10,000 Times from Google Play: What to Do

A dangerous banking Trojan known as "Cerberus" was found to be posing as a Spanish currency converter app available for download from the Google Play Store.

According to researchers at antivirus firm avast, the app targeted Spanish Android users and had over 10,000 downloads.

avast explained that the app "posed as a real app in order to access bank account information of unsuspecting users. The fact that a banking Trojan was able to infiltrate the Google Play store in the first place is not well known.

"The 'real' app this time was posing as a Spanish currency converter called Calculadora de Moneda," wrote avast's Ondrej David in a blog post. "According to our investigation, [the app] hid its malicious intent for the first few weeks while it was available in the store.

"This was probably to sneak users in before launching any malicious activity that might attract the attention of malware researchers or Google's Play Protect team," David added. As a result, the app has been downloaded over 10,000 times so far. We have reported this to Google so they can remove this app immediately."

[10

avast points out that banking Trojans often function in a "stealth fashion," acting normally for a period of time before accessing a user's banking details in order to gain the user's trust.

According to avast, there are multiple stages to this process. The first stage is to induce users to download malicious apps. Eventually, however, they update themselves or install another app on the victim's device in order to steal financial details.

David explains that the currency converter app "did not steal or harm data" at first. However, it was not long before a banking Trojan horse was set in motion.

"Later versions of the currency converter included "dropper code" but still did not start at first. In other words, the command and control server (C&C) that directs the app did not issue any commands, so the user never saw or downloaded the malware," David wrote. In recent days, however, Threat Labs noticed that the "command and control server" was issuing new commands and downloading additional malicious Android application packages (APKs) - bunkers.

In the final stage, avast stated that the Banker app "sits on top of existing banking apps and waits for users to log into their bank accounts" by exploiting Android features for visually and hearing impaired users.

This can "create a waiting state on the login screen and steal all access data," and can even "read text messages and two-factor authentication details, meaning it can bypass all security measures."

To stay safe from banking Trojans, avast recommends using only verified and trusted banking apps, reading user reviews and ratings on the Google Play Store (and avoiding third-party stores), app permissions to make sure it is not too demanding, and download and use one of the best Android antivirus apps.

Categories