Security researchers from Threatfabric uncovered four different Android banking Trojans distributed via the Google Play Store between August and November 2021. The Trojans reportedly made over 300,000 infections via different kinds of dropper apps disguised as legitimate smartphone applications.
The Four Android Banking Trojans include:
- Anatsa (also known as TeaBot)
Threatfabric analysts identified different droppers located in Google Play, designed to distribute specifically the banking Trojan Anatsa, which has advanced RAT and semi-ATS capabilities. Anatsa Trojan can perform classic overlay attacks to steal credentials, accessibility logging, and keylogging. The researchers also found multiple malware strains dropped by the Brunhilda threat actor group, derived from Hydra and ERMAC.
The List of Malicious Dropper Apps include:
- Two Factor Authenticator (com.flowdivison)
- Protection Guard (com.protectionguard.app)
- QR CreatorScanner (com.ready.qrscanner.mix)
- Master Scanner Live (com.multifuction.combine.qr)
- QR Scanner 2021 (com.qr.code.generate)
- QR Scanner (com.qr.barqr.scangen)
- PDF Document Scanner – Scan to PDF (com.xaviermuches.docscannerpro2)
- PDF Document Scanner Free (com.doscanner.mobile)
- CryptoTracker (cryptolistapp.app.com.cryptotracker)
- Gym and Fitness Trainer (com.gym.trainer.jeux)
These dropper apps have small malicious footprints that make them difficult to detect from traditional security scans and detections. “To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization,” the researchers said.
Rise of Android Trojans
In a similar discovery, security researchers from Doctor Web uncovered a new Trojan that has infected over 9.3 million Android devices. The Trojan, dubbed “Android.Cynos.7.origin,” is a new kind of malware that disguises itself as various mobile games on Huawei’s AppGallery marketplace. Android.Cynos.7.origin steals information from a victim’s device, such as contact details, and displays unwanted ads. The researchers suspect that the Trojan is a modified version of the Cynos malware. Read More Here