Android Banking Trojans Now Found in Trusted Apps on Google Play


If you use a banking app on an Android device, you need to be especially careful of a new type of attack that is causing concern in the cybersecurity community. The concern comes from the fact that this banking malware hides inside harmless apps and, what’s worse, these apps have been turning up on Google Play. In other words, downloading something as simple as a flashlight can download a banking trojan.

This banking malware will steal your login information by presenting a page that looks identical to your normal banking login page. It can do this in two ways. When the app is downloaded, you will get the usual permissions interface. If you simply allow all permissions you may give administrative rights to the app. This means that whoever controls the app also controls your device. The malware will scan your device for any banking apps loaded on it and prepare a fake login page for you to see when you try to log into your account. Of course, logging in will give your information to the criminals who will then use it to do whatever it is they want to do.

The other method allows you to log into your account first and, then, out of nowhere, gives you a screen asking you to log in again. It’s the same login screen because the criminals have captured it. However, logging in this time takes you to an unrelated page. You may think something was wrong with your browser and you then go back and login as usual and nothing is wrong. All your funds are there as they should be. Right, but maybe not for long. The criminal has all your data and can use it when they need it. Of course, this attack doesn’t necessarily have to attack banks, it’s just that that’s where the money is. They could just as easily use the same technique to get into your Gmail or  Facebook accounts.

I know what you’re thinking. This can’t happen if you have Two Factor Authentication (2FA). Wrong. All forms of  2FA have been circumvented. Let me give you an example. You log into your banking site and are supposed to receive a SMS message with a code that you can use to authenticate your login. However, the criminal who has control of your device mutes the SMS arrival signal and intercepts the SMS message. Now, they have the code. They can even have the device request a new code which you, the victim, will interpret as the original code. Unfortunately, you will be unable to use this code.

The name of the newest trojan behind these attacks is called, BankBot; however, there are a number of new variations on this idea appearing with a number of different names. As the name implies, the BankBot trojan targets banks, as of this writing, almost 500 of them. To find out if your bank is being targeted, go to this page and use your browser’s “Find on Page” function with your bank’s name or abbreviation (i.e. db = Deutsche Bank) to see if it is being targeted through Android apps on Google Play. A word of caution here. As of this writing, most of the targeted banks are in Europe or Asia. However, since this malware is spreading so rapidly in many variations, it is only a matter of time before it is found in the U.S. Your bank may not be listed now, but be vigilant because it will be.

The big problem is that the malware is using a trusted site, Google Play, with trusted apps. It is able to bypass, or at least delay, Google Play algorithms from detecting any problem with the app by using a variety of obfuscation techniques. The malware designers figure their malware will eventually be detected and the app removed from Google Play, but if they can get the app downloaded by enough people, they can consider the attack a success. Remember that if they are able to gain administrative rights over a device, they can spread the malware in more traditional ways, such as by sending fake files/links to your contacts through phishing emails or social media messages. To put it bluntly, this attack vector is positioning itself to be one of the biggest malware events of 2017.

As if to underline this point, it has just been reported by Check Point that at least two million Google Play-based downloads of malware-infected apps have been detected since November of last year. “The apps were uploaded to the app store as early as November 2016, meaning they hid successfully for five months, accumulating an astounding number of downloads.” This happened despite the fact that Google, once alerted to the problem, removed the infected apps. The researchers were focusing only on one type of malware that infects guides to games such as FIFA, Pokemon GO, Shadow Fight, and Hungry Shark World. The malware appears to be using Google Play as a way to set up a botnet. This particular malware has been mostly used to distribute adware, however, it could be tweaked to do far more.

For the past week or so, I’ve been following the continuing discovery of BankBot offspring and other banker malware showing up on Google Play apps. Recently, the target has been Flash Player updates and even Google Play updates.

flash player bank

google update bank(From Koodous)

It is not just a whack-a-mole approach that Google must use in combatting this malware, it is more a Hydra-like whack-a-mole; when one app is removed two more, often with slightly different code, appear. The reason for this proliferation is due to the fact that the malware is available at a low cost (or even free) on deep web and other sites and that it is relatively easy to implement. So rapid is this proliferation that some of the malware has not even been named yet.

BankBot malware may appear in many variations and may even be given different names, but they all use similar attack vectors. Although most use the overlay trick of presenting victims with fake login screens, these screens are used in different ways. Some will lock the screen while criminals wipe out the victims account. Some will present various error messages to delay the victim. Others come with no hard-coded login pages but will search the victim’s device for various apps and prepare for the attack by downloading the login page associated with the app. They will present a fake login page at the appropriate time. One form of banking malware, Trojan.Android/Charger.B, will even take a picture of the victim through the infected device’s camera and send it to the attackers. All of this functionality will be hidden in normal apps that maintain their functionality.

Is there any way to tell in advance if an app on Google Play is infected? That’s difficult. If, however, the reviews seem to point to something suspicious, it is better not to download the app. Look at this review for one banking app.

“Ever since latest update I been having issues with even getting logged in. It comes up saying sorry temporarily delays try again later! It never did this before the last update? Please fix so it can be a great app again! Thanks”.

 Sure, this is one person’s bad experience, but if there are more of these, it would make me nervous.

 The main advice I would give is to be very careful about giving any app administrative privileges. Once you do this, the criminals have complete control of your device and will stop you from uninstalling the malware. If you try to deactivate the administrative rights given to the app, you will only get a popup screen that won’t go away unless you activate administrative rights again. It may, in some cases, be possible to deactivate the rights in safe mode. If you don’t know how to do this, see this post.

Some banking trojans install keyloggers so if your bank offers mouse-controlled numeric keypads for entering credentials, use them. Of course, this won’t work with malware that can ‘see’ your screen. Look for any changes in login screen design, any unusual messages, or unrequested login or logout screens. Yes, you will be, and should be, somewhat paranoid but better safe than bankrupt. Antivirus software is always being updated to look for such malware so make sure it is updated on your device and use it to scan frequently, especially after something unusual seems to happen.

Also keep in mind that these Android banking trojans can steal login credentials from other sites as well. I have seen Skype, PayPal, and even antivirus updates targeted. If you are really worried, you can go analog. That is, you can take the radical action of actually walking into your local bank, as crazy as that sounds.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s