Google: Google removes trojan-laden Android apps from Play Store: How they affected users – Times of India
Trojan malware uses apps that hide their real intentions which comes to light once users install these apps. The report claims that an app listed in the Google Play Store was impersonating a PDF reader, which when installed downloaded the trojan payload. The payload which was loaded from GitHub, was also disguised as an add-on to the original app.
Google has announced that it has identified the malicious apps and has removed them from Play Store. The tech giant has banned the developers and has added that Google Play Protect automatically removes such apps that contain this malware on Android devices with Google Play Services.
Earlier, in November 2021, ThreatFabric’s analysts also tracked other campaigns that used apps located in the Google Play Store to deliver the Anatsa banking trojan. These apps impersonated PDF scanners, QR code scanners, Adobe Illustrator apps and fitness tracker apps and had over 30,000 installations. The motive of this malware is to steal the credentials used by customers on banking apps and initiate fraudulent transactions by performing Device-Takeover (DTO) Fraud.
How the latest ‘Anatsa’ campaign worked
After Google removed the Anatsa-carrying app from Play Store, the attackers added another app to the Android app marketplace. This time the app was disguised as a PDF viewer app which was also downloading the payload disguised as an add-on for the app.
Google removed these apps from the Play Store whenever they were reported, and the attackers promptly uploaded a new dropper under a new disguise. The five apps that dropped the malware were submitted to Google Play in a clean form and were later updated with malicious code in order to evade Google’s strict code review process on the first submission.
Anatsa collects financial information like bank account credentials, credit card details, payment information, etc. The trojan overlays phishing pages in the foreground when the user attempts to launch their legitimate bank app and also via keylogging. The latest Anatsa trojan campaign affected nearly 600 financial apps of banking institutions from across the world.
“Since transactions are initiated from the same device that targeted bank customers regularly use, it has been reported that it is very challenging for banking anti-fraud systems to detect it,” explains ThreatFabric.
The stolen amounts are then converted to cryptocurrency and passed through an extensive network of money mules in the targeted countries. The network members then keep a portion of the stolen funds as a revenue share and send the rest to the attackers.
function loadGtagEvents(isGoogleCampaignActive) { if (!isGoogleCampaignActive) { return; } var id = document.getElementById('toi-plus-google-campaign'); if (id) { return; } (function(f, b, e, v, n, t, s) { t = b.createElement(e); t.async = !0; t.defer = !0; t.src = v; t.id = 'toi-plus-google-campaign'; s = b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t, s); })(f, b, e, 'https://www.googletagmanager.com/gtag/js?id=AW-877820074', n, t, s); };
window.TimesApps = window.TimesApps || {}; var TimesApps = window.TimesApps; TimesApps.toiPlusEvents = function(config) { var isConfigAvailable = "toiplus_site_settings" in f && "isFBCampaignActive" in f.toiplus_site_settings && "isGoogleCampaignActive" in f.toiplus_site_settings; var isPrimeUser = window.isPrime; if (isConfigAvailable && !isPrimeUser) { loadGtagEvents(f.toiplus_site_settings.isGoogleCampaignActive); loadFBEvents(f.toiplus_site_settings.isFBCampaignActive); } else { var JarvisUrl="https://jarvis.indiatimes.com/v1/feeds/toi_plus/site_settings/643526e21443833f0c454615?db_env=published"; window.getFromClient(JarvisUrl, function(config){ if (config) { loadGtagEvents(config?.isGoogleCampaignActive); loadFBEvents(config?.isFBCampaignActive); } }) } }; })( window, document, 'script', );
For all the latest Technology News Click Here