Banking trojan-slingers slip past Google Play's malware defences

BankBot nestled within allegedly 'fun' mobile game

By John Leyden


Security researchers have uncovered an Android banking malware hiding on Google Play using stealthy new tactics.

A game called "Bubble Shooter Wild Life" and an app named "Earn Real Money Gift Cards" in the Google Play Store are actually designed to drop banking malware named BankBot. "The malware only becomes active when the actors decide to drop the real trojan on the victim's device and therefore bypassing Google's internal malware scanner named Bouncer," Han Sahin, co-founder of Securify, told El Reg.

Separate research from Zscaler supports Securify's discovery. The apps are able capable of abusing Android's accessibility permissions to download additional programs without the user's knowledge.

"The malicious apps have been able to conceal themselves by hiding on Google Play and leveraging techniques like time delays and code obfuscation. At this point, the apps are fairly new to the Play store with fewer than 5,000 downloads. However, there is a concern around the increase in availability of dubious apps online," Zscaler warns.

El Reg asked Google to comment on the incident, in particular the suggestion that crooks had figured out a way to smuggle malicious code past its security controls, but have not yet received a response.

The latest Android security kerfuffle highlights the need for consumers to be careful about downloading applications, even if they come from the official Google store.

App alerts generated by Google can sometime be wrong. For example, last weekend OnePlus phones started having Google Play flag a preinstalled system app as malicious. "GPIO Switch" generated an apparently false alert. In a response to a thread on its forum, OnePlus said it was chasing the issue. Since the snafu related to a system app, users would be unable to manually uninstall it, even if they wanted to.

El Reg has queried both organisations but we're yet to hear back. We'll update this story as and when more information comes to light. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

Paranoid Android: Antivirus app-makers resolve MitM vulnerability

Attack loophole in Panda app sealed

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

FBI fingers North Korea for two malware strains

'Joanap' and 'Brambul' harvest info about your systems and send it home

US-CERT warns of more North Korean malware

'Typeframe' springs from the same den as 'Hidden Cobra'

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data

DOJ convicts second bloke for helping malware go undetected

Scan scam? Scram