Banking trojan-slingers slip past Google Play's malware defences
BankBot nestled within allegedly 'fun' mobile game
Posted in Security, 23rd August 2017 13:34 GMT
Security researchers have uncovered an Android banking malware hiding on Google Play using stealthy new tactics.
A game called "Bubble Shooter Wild Life" and an app named "Earn Real Money Gift Cards" in the Google Play Store are actually designed to drop banking malware named BankBot. "The malware only becomes active when the actors decide to drop the real trojan on the victim's device and therefore bypassing Google's internal malware scanner named Bouncer," Han Sahin, co-founder of Securify, told El Reg.
Separate research from Zscaler supports Securify's discovery. The apps are able capable of abusing Android's accessibility permissions to download additional programs without the user's knowledge.
"The malicious apps have been able to conceal themselves by hiding on Google Play and leveraging techniques like time delays and code obfuscation. At this point, the apps are fairly new to the Play store with fewer than 5,000 downloads. However, there is a concern around the increase in availability of dubious apps online," Zscaler warns.
El Reg asked Google to comment on the incident, in particular the suggestion that crooks had figured out a way to smuggle malicious code past its security controls, but have not yet received a response.
The latest Android security kerfuffle highlights the need for consumers to be careful about downloading applications, even if they come from the official Google store.
App alerts generated by Google can sometime be wrong. For example, last weekend OnePlus phones started having Google Play flag a preinstalled system app as malicious. "GPIO Switch" generated an apparently false alert. In a response to a thread on its forum, OnePlus said it was chasing the issue. Since the snafu related to a system app, users would be unable to manually uninstall it, even if they wanted to.
El Reg has queried both organisations but we're yet to hear back. We'll update this story as and when more information comes to light. ®