Hackers Turn off Google Play Protect to Install Banking Malware

When you get a new Android phone, you get a pre-installed version of Google Play Protect. From a cybersecurity viewpoint, that’s good. You want as many barriers between you and cyber criminals as you can get. By default, Google Play Protect is always active.

In principle, Play Protect checks any app you download from the Google Play Store to see if it is free of malware, because no matter how hard Google tries to keep malicious actors from uploading dangerous apps to the store, bad apps always manage to get in and are lying in wait for the unsuspecting. Play Protect also checks apps you may get from other sites on the internet. It will scan these apps to see if they contain more than they say they do. In fact, from time to time, Play Protect will check all the apps you have downloaded. If Play Protect finds something questionable in the app, it will warn you or not allow you to download the app at all. Of course, it sometimes happens that you really want a certain app but can’t get past Play Protect. In this case, you have the option of turning Play Protect off.

On the surface, having Play Protect seems to be a good idea, but there have been problems. In July, it was tested against other security software and it did not perform well. Whereas other anti-malware software detected all the bad apps in the 20,000 that were presented, Play Protect only detected two-thirds of them, and in the cybersecurity world, that simply isn’t good enough.

Another problem for Google Play Protect was that it falsely flagged good apps as bad apps. They did this for 70 of the harmless apps presented. This was far worse than any other anti-malware tested. The next worse only falsely flagged a few apps. Play Protect received an “insufficient” rating overall.  Such data may make a user consider turning off Play Protect, which really wouldn’t be a good idea. It does show, however, that Google Play Protect may have some serious problems that may end in a user’s lack of trust.

The sad fact is that it may be better to keep Play Protect turned on even if it gives false positives or prevents the download of certain apps you feel are safe. In those instances, you can temporarily turn off Play Protect and then turn it back on. Not having Play Protect active is a hacker’s dream. Most bad apps need a route onto your device and having Play Protect turned off is one less obstacle towards this end.

That’s what makes a new attack vector, named, Anubis, so successful. The goal of this banking malware is to create a legitimate-looking app that, when downloaded and installed, will turn off Play Protect. Currently, the attack appears to be confined to Europe, but, to me, this is only because the attackers may be testing its effectiveness and fine-tuning it for bigger attacks down the line. It will not be long before it spreads to the U.S.

The attack begins by getting the victim to download an app that looks legitimate. Often, it will have the identical icon as a well-known app. As is the case with all apps, it will ask for permissions. This is where most victims drop the ball. They simply don’t have time to look through and analyze all of the permissions or they simply don’t understand which ones are necessary. It’s not always easy to know which permissions are required to allow an app to work properly. Criminals know all this. So, into the permissions mix, they ask if they can use accessibility services. Few people know what this entails. In theory it helps people with certain disabilities. In the wrong hands, such permission will allow a criminal to take control of much of your device, and that’s exactly what Anubis does. As soon as it gets the accessibility OK, it uses your device to secretly communicate with a remote controller. The malware looks through your device and sends all the information it can glean to those who will use it to eventually take over your bank account. In addition to sending information to the hackers, your device will also secretly receive more malware to install.

It’s at this point that Google Play Protect can become a problem for the criminals. It may detect some of the malware being secretly installed and inform the user that something’s up. So, to get around this roadblock, the attackers give the victim a message that looks something like the following.

If the user agrees, Google Play Protect is no longer a problem for the criminals.

With that problem solved, the attackers’ malware targets certain apps that are mostly connected to banking or cryptocurrency. When the victim launches one of these apps, the malware kicks in and launches an overlay attack which looks the same as, for example, the login page for a bank transaction. Here is an example from the Lookout report.

Keep in mind that this is only one example. At last count, at least 400 apps have been targeted by this malware.

The malware seems to be at the testing stage for the moment, even though it is already doing damage. This is a credential stealing malware which means it can be leveraged to do far more than just steal bank logins. As the report states, “While it’s primarily used as a banking trojan, its credential-stealing capabilities put any login information at risk. This could include employee logins that get swiped when the user tries to access cloud-based apps like Google Drive or Microsoft Office 365 from their mobile devices.” In other words, Anubis can be used to gain access to important corporate data which could be stolen and encrypted to launch a ransomware attack. This means that any vulnerable Android device associated with an enterprise can be used as an entry point. To find out how to protect your network endpoints with state-of-the-art technology, go here.  

The bad news, the very bad news, is that Anubis is available online for free. For would-be hackers who are not tech-savvy, they can pay a fee and buy a package which includes support from more experienced hackers. Once the current kinks in the malware are ironed out and better attack vectors are developed, expect the worst.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s