Banking trojan-slingers slip past Google Play's malware defences

BankBot nestled within allegedly 'fun' mobile game

By John Leyden


Security researchers have uncovered an Android banking malware hiding on Google Play using stealthy new tactics.

A game called "Bubble Shooter Wild Life" and an app named "Earn Real Money Gift Cards" in the Google Play Store are actually designed to drop banking malware named BankBot. "The malware only becomes active when the actors decide to drop the real trojan on the victim's device and therefore bypassing Google's internal malware scanner named Bouncer," Han Sahin, co-founder of Securify, told El Reg.

Separate research from Zscaler supports Securify's discovery. The apps are able capable of abusing Android's accessibility permissions to download additional programs without the user's knowledge.

"The malicious apps have been able to conceal themselves by hiding on Google Play and leveraging techniques like time delays and code obfuscation. At this point, the apps are fairly new to the Play store with fewer than 5,000 downloads. However, there is a concern around the increase in availability of dubious apps online," Zscaler warns.

El Reg asked Google to comment on the incident, in particular the suggestion that crooks had figured out a way to smuggle malicious code past its security controls, but have not yet received a response.

The latest Android security kerfuffle highlights the need for consumers to be careful about downloading applications, even if they come from the official Google store.

App alerts generated by Google can sometime be wrong. For example, last weekend OnePlus phones started having Google Play flag a preinstalled system app as malicious. "GPIO Switch" generated an apparently false alert. In a response to a thread on its forum, OnePlus said it was chasing the issue. Since the snafu related to a system app, users would be unable to manually uninstall it, even if they wanted to.

El Reg has queried both organisations but we're yet to hear back. We'll update this story as and when more information comes to light. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Apache Hadoop spins cracking code injection vulnerability YARN

Loose .zips sink chips 2: Electric Boogaloo

Google Play Store spews malware onto 9 million 'Droids

How did these get through the net?

Full frontal vulnerability: Photos can still trick, unlock Android mobes via facial recognition

Dutch consumer club names 42 easy-to-fool cameras

Paranoid Android: Antivirus app-makers resolve MitM vulnerability

Attack loophole in Panda app sealed

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

Malware scum want to build a Linux botnet using Mirai

Hadoop YARN is the attack vector, so lock it away

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

Scumbags cram Make-A-Wish website with coin-mining malware

Do they accept Monero in Hell?