Google regularly updated Google Play Store security system and they frequently perform a multitude of various types of scans, along with the new modification introduced on the Google Play Store security system, which limits the use of the Accessibility Services, which was abused by earlier dropper campaigns to automate and install apps without user consent.
In the research post, ThreatFabric noted that this new update does not appear to have slowed down the operators of Loader-as-a-Service systems at all. ThreatFabric says that malware gangs have responded to Google’s latest change by submitting clean apps to Google’s Bouncer checks and then incrementally adding the malicious code throughout one or more app updates.
Mainly the malicious code was hidden in the fully functional apps that included QR Code reader/scanner, PDF Scanners, Fitness Apps, other jokes/wallpaper apps, etc. Along with the legitimate functionality they offered, these apps also included a special module called a “loader.”
Loaders are small pieces of malware that are hidden inside an app. They typically contain very little and very benign functionality, such as the ability to connect to a remote server to download and run additional code.
With these new security updates on Google Play Store Security, Google has forced actors to find ways to significantly reduce the footprint of dropper apps. Besides improved malware code efforts, Google Play distribution campaigns are also more refined than previous campaigns. For example, by introducing carefully planned small malicious code updates over a longer period in Google Play, as well as sporting a dropper C2 backend to fully match the theme of the dropper app (for example a working Fitness website for a workout focused app).
Because of this design loaders are the most reliable payload distribution mechanism for cyber crooks. So, attackers submit the app for scanning with a legitimate code and get listed on the Play Store. Later on, they deploy the actual malware after the app was installed on user devices via pushing updates.
Once the entire loader code is present inside an app, the malware gangs can then move to ask users for access to dangerous permissions and deploy their final payloads on the infected devices.
ThreatFabric noted it has already seen four different Android banking trojans using these updated delivery tactics in real-world campaigns. The list includes banking trojans like Anatsa, Ermac, Hydra, and Alien.
After successfully downloading the “update”, the user will be asked for permission to install apps from unknown sources. The user, previously convinced that the update is necessary for the app to work properly, grants the permission. After the installation is complete, Anatsa is running on the device and immediately asks the victim to grant Accessibility Service privileges.
Once the loaders install any of these four, these banking trojans can steal credentials for social media, instant messaging, mobile banking, and cryptocurrency apps. Some of them also have the ability to bypass SMS-based two-factor authentication and automate the theft of user funds.
ThreatFabric has reported tonnes of apps with malicious code which they have notified to Google Security team also. Some of them are -:
|App Name||Package Name|
|PDF Document Scanner – Scan to PDF||com.xaviermuches.docscannerpro2|
|PDF Document Scanner||com.docscanverifier.mobile|
|PDF Document Scanner Free||com.doscanner.mobile|
|QR Scanner 2021||com.qr.code.generate|
|Master Scanner Live||com.multifuction.combine.qr|
|Gym and Fitness Trainer||com.gym.trainer.jeux|
|Two Factor Authenticator||com.flowdivison|