Android users have once again been targeted by malware authors after 29 stealthy mobile banking trojans disguised as apps for various uses were discovered in the Google Play store.
Malware creators continue to test the attention of Android users by infiltrating camouflaged mobile banking trojans into the Google Play store. Recently, we analyzed a set of 29 stealthy trojans of this type that were discovered in the official Android store between August and early October 2018; disguised as device add-ons and wipers, battery managers and even horoscope apps.
Unlike the growing prevalence of malicious apps that focus only on attempting to supplant the identity of legitimate financial institutions; and display screens with false registration instances, the apps analyzed here belong to the category of sophisticated banking malware for mobiles with complex functionalities and a strong focus on stealth.
These remotely controlled Trojans are capable of dynamically affecting any application they find on the victim’s device through customized phishing forms. Apart from this, they can intercept and redirect text messages to evade SMS-based dual-factor authentication systems. In addition to intercept call logs, and download and install other applications on compromised devices. These malicious apps were mostly uploaded under the name of different developers, but the similarities in the code and the same C&C server suggest that these apps are the work of a single attacker or group.

Figure 1 – Examples of banking trojans discovered in Google Play.
The 29 malicious applications, have been removed from the official Android store after ESET researchers notified Google of their malignant nature. Likewise, before they were removed from the store, the apps were installed by approximately 30,000 users in total.
How did these banking trojans operate?
Once executed, the apps can either display an error message stating that they have been removed due to an incompatibility with the victim’s device and then proceed to hide from the user’s view, or the other possibility is that they offer the function they promised (such as showing the horoscope).

Figure 2 – A false error message is displayed by one of these Trojans after they are executed.
Regardless of which of the above activities each of these apps deploys, the main malicious function is hidden in an encrypted payload located in the assets of each app. This payload is encrypted in base64 and then encrypted with RC4 encryption using a hardcoded key. The first phase of malware activity is a dropper that initially corroborates whether an emulator or a sandbox is present. If these checks fail, then it decrypts and releases a loader along with a payload containing the current bank malware. Some of the apps we analyze contain more than one stage of such encrypted payloads.

Figure 3 – Functionalities to recognize an Android emulator.
The final payload functionality is to supplant bank apps installed on the victim’s device, intercept and send SMS messages, and download and install additional applications chosen by the operator. The most significant functionality is that malware can dynamically supplant the identity of any application installed on the victim’s device. This is achieved by obtaining the HTML code from these apps installed on the device and using that code to overlap the legitimate application with false forms once the legitimate app is executed, giving the victim very little chance of noticing anything suspicious.
How to be protected from this type of malware
Fortunately, this particular banking trojan (the complete list can be found in the IoCs section) does not employ advanced tricks to ensure its persistence on the affected devices. Therefore, if you suspect that you have installed any of these apps, you can simply uninstall them by going to the Settings > Application Management / Apps section.
We also recommend that you check your bank account for suspicious transactions and consider modifying your online banking system password or PIN code.
To avoid becoming a victim of this banking malware we recommend:
- Just download Google Play apps. While this does not ensure that the app is not malicious, this malicious behavior is more common in third party stores, where they are unlikely to be removed no matter how much they are discovered; unlike what happens in Google Play which are removed quickly when they are reported.
- Be sure to check the number of downloads, the rating and existing comments on the app before downloading it from Google Play.
- Pay attention to what permissions you give to the apps you install.
- You can keep your Android device up to date and use a reliable mobile security solution. ESET products detect and block this threat like Android/TrojanDropper.Agent.CIQ.
Have you used any of these applications or have you been infected by a Trojan on your mobile phone or computer? Leave us your comments.
Leave a Reply