Researchers said they’ve discovered a batch of apps downloaded from Google Play more than 300,000 times before the apps were revealed to be banking trojans that surreptitiously siphoned user passwords and two-factor authentication codes, logged keystrokes, and took screenshots.
The apps—posing as QR scanners, PDF scanners, and cryptocurrency wallets—belonged to four separate Android malware families that were distributed over four months. They used several tricks to sidestep restrictions that Google uses to fight the unending distribution of fraudulent apps in its official marketplace. After the app was installed, users received messages instructing them to download updates that installed additional features. The apps often required updates to be downloaded from third-party sources, but by then, many users had come to trust them. Most of the apps initially had zero detections by malware checkers available on VirusTotal.
The apps also flew under the radar by using other mechanisms. In many cases, the malware operators manually installed malicious updates only after checking the geographic location of the infected phone or by updating phones incrementally. The process of infection with Anatsa looks like this: upon the start of installation from Google Play, the user is forced to update the app in order to continue using the app. At that time, the virus payload is downloaded from the malicious server(s) and installed on the device of the unsuspecting victim. Anatsa offers a variety of capabilities, including remote access and automatic transfer systems, which automatically empty victims’ accounts and send the contents to accounts belonging to the malware operators.
The best advice for staying safe from malicious Android apps is to be extremely sparing in installing them. And if you haven’t used an app for a while, uninstalling it is a good idea.
Frankenstein Computers has been taking care of our happy clients since 1999. We specialize in IT Support, Cyber Security, IT Service, IT Security MAC repair, PC Repair, Virus Removal, and much more. Give us a call for remote support or drop in to drop off.
This article originally posted on ArsTechnica.