Banking trojan-slingers slip past Google Play's malware defences

BankBot nestled within allegedly 'fun' mobile game

By John Leyden

Posted in Security, 23rd August 2017 13:34 GMT

Security researchers have uncovered an Android banking malware hiding on Google Play using stealthy new tactics.

A game called "Bubble Shooter Wild Life" and an app named "Earn Real Money Gift Cards" in the Google Play Store are actually designed to drop banking malware named BankBot. "The malware only becomes active when the actors decide to drop the real trojan on the victim's device and therefore bypassing Google's internal malware scanner named Bouncer," Han Sahin, co-founder of Securify, told El Reg.

Separate research from Zscaler supports Securify's discovery. The apps are able capable of abusing Android's accessibility permissions to download additional programs without the user's knowledge.

"The malicious apps have been able to conceal themselves by hiding on Google Play and leveraging techniques like time delays and code obfuscation. At this point, the apps are fairly new to the Play store with fewer than 5,000 downloads. However, there is a concern around the increase in availability of dubious apps online," Zscaler warns.

El Reg asked Google to comment on the incident, in particular the suggestion that crooks had figured out a way to smuggle malicious code past its security controls, but have not yet received a response.

The latest Android security kerfuffle highlights the need for consumers to be careful about downloading applications, even if they come from the official Google store.

App alerts generated by Google can sometime be wrong. For example, last weekend OnePlus phones started having Google Play flag a preinstalled system app as malicious. "GPIO Switch" generated an apparently false alert. In a response to a thread on its forum, OnePlus said it was chasing the issue. Since the snafu related to a system app, users would be unable to manually uninstall it, even if they wanted to.

El Reg has queried both organisations but we're yet to hear back. We'll update this story as and when more information comes to light. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Paranoid Android: Antivirus app-makers resolve MitM vulnerability

Attack loophole in Panda app sealed

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

'Amnesia' IoT botnet feasts on year-old unpatched vulnerability

New variant of 'Tsunami' is a disaster waiting to happen

MailChimp 'working' to stop hackers flinging malware-laced spam from accounts

What can you do about it for now? Sweet 2FA

Microsoft patched more Malware Protection Engine bugs last week

Redmond's out-of-band advisory landed after the bugs were fixed

First shots at South Korea could herald malware campaign of Olympic proportions

Russia, Norks and dog lovers all potential perps, say pundits

Crumbs! Crunchyroll distributed malware for a couple of hours

Anime-streamer is fine again, and disinfection is easy

Researchers create AI attacker to defeat AI malware defender

It's like Spy Vs Spy, but with neural network boffins

Slingshot malware uses cunning plan to find a route to sysadmins

Advanced router code has been in circulation for six years

'R2D2' stops disk-wipe malware before it executes evil commands

'Reactive Redundancy for Data Destruction Protection' stops the likes of Shamoon and Stonedrill before they hit 'erase'