Android banking trojan spreads via fake Google Play Store page

silversurfer

Level 84
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,562
The actors have set up a page that looks very close to Android's official Google Play app store to trick visitors into thinking they are installing the app from a trustworthy service.
The malware pretends to be the official banking app for Itaú Unibanco and features the same icon as the legitimate app.
If the user clicks on the "Install" button, they are offered to download the APK, which is the first sign of the scam. Google Play Store apps are installed through the store interface, never asking the user to download and install programs manually.
Researchers at Cyble analyzed the malware, finding that upon execution, it attempts to open the real Itaú app from the actual Play Store.
If that succeeds, it uses the actual app to perform fraudulent transactions by changing the user's input fields.
The app doesn't request any dangerous permissions during installation, thus avoiding raising suspicious or risking detection from AV tools.
Instead, it aims to leverage the Accessibility Service, which is all that's needed by mobile malware to bypass all security on Android systems.