Between August and November 2021, four different Android banking trojans were propagated via the official Google Play Store, resulting in over 300,000 infections using multiple dropper applications that posed as seemingly innocent utility apps to take complete control of afflicted devices.
According to ThreatFabric, the malware attacks are crafted to deliver Anatsa (TeaBot), ERMAC, Alien, and Hydra. They are more refined and engineered to have a limited harmful footprint, ensuring that payloads are installed exclusively on cellphones from certain countries and preventing malware from being downloaded during the publication process.
Google implemented restrictions earlier this month to limit any use of accessibility authorizations that allow malicious apps to steal sensitive data from Android devices. App developers are also increasingly refining their tactics via other means, even when compelled to use the more traditional method of installing the applications through the app marketplace.
One of the most common ways is versioning, which involves uploading clean versions of programs first and then gradually introducing harmful functionality through future software updates. Another strategy is to create look-alike command-and-control (C2) websites that fit the theme of the dropper software to avoid detection by traditional methods.
Since June 2021, ThreatFabric has found six Anatsa droppers on the Play Store. Each of them is configured to download an “update” before soliciting users to allow permission to install apps and access the Accessibility Service.
Brunhilda, a malicious actor, first identified in July 2021 for delivering the Vultur remote access trojan, used trojanized applications posing as QR code maker apps to distribute Hydra and ERMAC malware to consumers in the United States, a market hitherto ignored by the two malware families.
Finally, a fitness training dropper app called GymDrop was discovered delivering the Alien banking trojan payload by masquerading it as a “new package of workout exercises,” even as its ostensibly legitimate developer website doubles as the C2 server to fetch the configuration needed to download the malware.
The actors behind these dropper programs manually initiate the installation of the banking trojan on an infected device if they want more victims in a certain region of the world, the researchers added, to make themselves even more challenging to identify. This makes automatic detection a far more complicated method for any company to implement.