It’s always important to do your research before downloading an app, no matter what it is. Unfortunately, a lot of users don’t bother to read the reviews or check the developer before downloading something, which can lead to them downloading malicious apps.
In the case of the dozen Android banking malware apps that Google just removed from the Play Store, users may not have even realized they were installing malware. The apps looked like legitimate productivity and utility apps, but they were actually designed to steal users’ login credentials and bank account information.
Here’s the list of apps. Check to see whether or not you happen to have downloaded one of them at some point.
- Call Recorder APK (com.caduta.aisevsk)
- Rooster VPN (com.vpntool.androidweb)
- Super Cleaner- hyper & smart (com.j2ca.callrecorder)
- Document Scanner – PDF Creator (com.codeword.docscann)
- Universal Saver Pro (com.virtualapps.universalsaver)
- Eagle photo editor (com.techmediapro.photoediting)
- Call recorder pro+ (com.chestudio.callrecorder)
- Extra Cleaner (com.casualplay.leadbro)
- Crypto Utils (com.utilsmycrypto.mainer)
- FixCleaner (com.cleaner.fixgate)
- Just In: Video Motion (com.olivia.openpuremind)
- Lucky Cleaner (com.luckyg.cleaner)
- Simpli Cleaner (com.scando.qukscanner)
- Unicc QR Scanner (com.qrdscannerratedx)
How did these apps bypass Google’s Play Protect feature
Trend Micro labeled them as DawDropper apps. These dropper apps used Firebase Realtime Database to evade and trick services to avoid detection as a potential threat. That’s how it got past Play Protect.
Due to relying on a third-party cloud-based environment, these apps were able to dynamically obtain a payload download address. Furthermore, researchers found out, that the apps host malicious payloads on GitHub as well.
Sneaky by design
When you up the ante in security checks, bad actors equally raise the bar and design apps that are sneaky by nature. What droppers apps did were download more potent and intrusive malware on a user’s device.
A few of these identified malware are:
- Octo (Coper)
The process involves establishing a connection with a Firebase Realtime Database to receive the GitHub URL where the malicious APK(s) is hosted to download the file on your phone.
Banking malware apps have evolved
What’s more, these apps also used the Android Accessibility Service to gain control of a user’s device once it was installed and trick victims into giving up their financial information.
The process is automated, making it difficult for users to spot anything suspicious. The app icon would also disappear from their home screen after it had been installed, making it even harder to spot.
Once the app had been installed, it would then use the Android Accessibility Service to gain control of the device. It would do this by displaying a fake login screen for over 20 different financial apps, including PayPal, Barclays, Natwest, Revolut, and more.
If a user entered their login details into the fake login screen, the app would then send that information to a remote server. The app would also try to trick victims into giving up additional financial information, such as their credit card number, by displaying a fake overlay on top of legitimate apps.
🔖Additional reading: Security and IT operations join hands for improved defense against cyberthreats.
How to stay safe
To stay safe, it’s important to only download apps from reputable developers and to read the reviews before installing anything. If you’re not sure whether an app is safe or not, you can always check with a trusted source like Trend Micro.
If you have downloaded any of the apps listed above, it’s important to delete them immediately and change your passwords. Furthermore, keep an eye out for any unusual activity on your financial accounts.
If you think you may have been a victim of this scheme, you can contact your bank or financial institution and let them know. You should also report the incident to the national fraud and cybercrime reporting center of your country.