silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,057
Two Android apps infected with banking malware were found on the Google Play Store, already having been installed on thousands of Android devices and sporting dozens of fake five-star ratings.
The Trend Micro malware research team linked the malware payload found in the two apps with the Anubis banking Trojan based on code similarity and a shared command and control (C&C) server (i.e., aserogeege.space), known to have been targeting the Android platform for the last two years.
What sets the Currency Converter and BatterySaverMobi apps apart from other malware-ridden Android apps is their use of the motion sensors to detect if they've been installed in a malware analysis sandbox, in which case their malicious behavior will be stopped in its tracks.
With the help of a fake system update screen, the malicious apps would try to trick the user into giving it administrator privileges by authorizing the fake update.
Fake system update screen
The built-in malware dropper will contact its C&C server using either Twitter or Telegram requests, and it will request commands using HTTP POST requests. The C&C server will then send an APK download link which will be installed by the dropper on the device.
Once the Anubis banking Trojan ends up on the compromised device, it starts collecting banking information using an inbuilt keylogger module or by taking screenshots when the user inserts credentials into banking apps, unlike other banking Trojans which use overlay screens for the same task.
As discovered by Trend Micro's researchers, the Anubis Trojan has been observed attacking 377 different bank applications from 93 countries all over the globe, with banks like Santander, RBS, Natwest, and Citibank, as well as non-banking apps such as Amazon, eBay, and PayPal in their list of targets.