Trojan dropper apps have flown under the radar on Google Play in recent months, netting over 300,000 downloads and stealthily installing malware that scoops up people’s banking details.
As mobile security firm ThreatFabric reveals, “in the span of only four months, four large Android families [Anatsa, Alien, Hydra, and Ermac] were spread via Google Play, resulting in 300,000+ infections via multiple dropper apps.”
The dropper apps disguised themselves as simple utilities, such as PDF and QR code scanners, as well as fitness apps. The Android apps looked legitimate, with many installations and positive reviews, and worked as promised, giving users little reason to suspect something was amiss.
Part of the trick here is that the apps don’t appear to have any malicious code at first. But, as ThreatFabric found, the apps “modified their behavior in later versions, adding the dropping functionality, and a wider set of permissions required.” At this point, users may trust the app and believe the update is necessary to continue using it. In the case of one fitness app, the app disguises the malicious download as a package of extra workouts the user could install.
The apps further avoid detection by being selective about which devices and regions they’ll attack and when. This can ensure the dropper app doesn’t attempt to install the malware while the app is undergoing its initial evaluation process for Google Play, and it can avoid installation in testing environments and emulators where it might be detected.
Once on the device, the malware can skim bank details through keystroke logging, take screenshots, and request access to Accessibility Service so the malware “has full control over the device and can perform actions on the victim’s behalf,” TheatFabric explains.
Though these sophisticated tactics make it harder to identify suspicious apps, it’s still a good rule of thumb to avoid apps from unknown brands and be aware of the permissions you grant these apps. Even just file storage access can be enough to do some damage.