- Two apps with motion-based evasion tactics found on Google Play Store.
- Reportedly, they dropped Anubis malware on affected devices.
- Google has removed the apps from its Store.
Japanese IT security company Trend Micro has claimed that it has found two malicious apps which drop wide-reaching banking malware. These two apps were found to be disguised as useful tools, simply named Currency Converter and BatterySaverMobi. The discovery of malicious apps on Google Play Store is not new, but what matters is that these apps are removed from the platform. In this case as well, Google has confirmed that both these apps are no longer on the Play Store.
Trend Micro says that the battery app was download for more than 5,000 times before it was taken down, and boasted a score of 4.5 stars from 73 reviewers. “However, a close look at the posted reviews show signs that they may not have been valid; some anonymous usernames were spotted and a few review statements are illogical and lack detail,” the company claims. These apps dropped a malicious payload, which is known as banking malware Anubis.
After the analysis of the payload, Trend Micro says that it found the code is strikingly similar to already known Anubis samples. The firm saw that it connects to a command and control (C&C) server with the domain aserogeege.space, which is also linked to Anubis. The Anubis malware shows itself as a safe app and prompts the user to grant it accessibility rights, and also tries to steal account information.
How the apps evade detection
The types of apps do not use the traditional evasion techniques, like extended sleep, they try to use the user and device’s motions to hide their activities. Anubis, a Sandbox-evading malware, has a built-in keylogger that can simply steal a users’ account credentials by logging the keystrokes. The malware can also take a screenshot of the infected users’ screen, which is another way to get the victims credentials.
Sandbox-evading malware is a new type of malware that can recognize if it’s inside a sandbox or virtual machine environment. These malware infections don’t execute their malicious code until they’re outside of the controlled environment.
As a user moves, their device usually generates some amount of motion sensor data. The malicious app monitors the user’s steps through the device motion sensor. “If it [the app] senses that the user and the device are not moving, then the malicious code will not run. If the malicious code runs, then the app will try to trick the users into downloading and installing its payload APK with a fake system update,” the security company noted.
Trend Micro says that the latest version of Anubis has been distributed to 93 different countries and targets the users of 377 variations of financial apps to farm account details. If Anubis successfully runs, an attacker can gain access to contact lists, location, have the ability to record audio, send SMS messages, make calls, and alter external storage. Anubis can also send spam messages to contacts, call numbers from the device, and even function as a ransomware.