Android Apps Steal Banking Info, Use Motion Sensor to Evade Detection

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Two Android apps infected with banking malware were found on the Google Play Store, already having been installed on thousands of Android devices and sporting dozens of fake five-star ratings.

The Trend Micro malware research team linked the malware payload found in the two apps with the Anubis banking Trojan based on code similarity and a shared command and control (C&C) server (i.e., aserogeege.space), known to have been targeting the Android platform for the last two years.

What sets the Currency Converter and BatterySaverMobi apps apart from other malware-ridden Android apps is their use of the motion sensors to detect if they've been installed in a malware analysis sandbox, in which case their malicious behavior will be stopped in its tracks.

With the help of a fake system update screen, the malicious apps would try to trick the user into giving it administrator privileges by authorizing the fake update.

1547754295144.png
Fake system update screen

The built-in malware dropper will contact its C&C server using either Twitter or Telegram requests, and it will request commands using HTTP POST requests. The C&C server will then send an APK download link which will be installed by the dropper on the device.

Once the Anubis banking Trojan ends up on the compromised device, it starts collecting banking information using an inbuilt keylogger module or by taking screenshots when the user inserts credentials into banking apps, unlike other banking Trojans which use overlay screens for the same task.

As discovered by Trend Micro's researchers, the Anubis Trojan has been observed attacking 377 different bank applications from 93 countries all over the globe, with banks like Santander, RBS, Natwest, and Citibank, as well as non-banking apps such as Amazon, eBay, and PayPal in their list of targets.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top