"In the last few days, our Mobile Threat Labs team at Avast discovered a Cerberus banking Trojan on Google Play that was targeting Android users in Spain. As is common with banking malware, Cerberus, disguised itself as a genuine app in order to access the banking details of unsuspecting users. What’s not so common is that a banking Trojan managed to sneak onto the Google Play Store. The ‘genuine’ app in this case, posed as a Spanish currency converter called “Calculadora de Moneda”. According to our research, hid its malicious intentions for the first few weeks while being available on the store. This was possibly to stealthily acquire users before starting any malicious activities, which could have grabbed the attention of malware researchers or Google’s Play Protect team. As a result, the app has been downloaded more than 10,000 times so far. We reported it to Google, so they can quickly remove it.
Banking Trojan apps operate in a stealth manner in order to gain the trust of users and steal their banking data. There are a number of stages to this process. The first stage involves delivering an app, which usually appears to act normally and perhaps even offers some degree of useful functionality to users who have downloaded it. This is to gain their trust and to ensure they are comfortable keeping the app on their phones. At this point, the 'Calculadora de Moneda' app did not steal any data or cause any harm. From the research that Threat Labs has carried out, this is exactly what happened when users first began to download the currency converter app in March of this year.
In this instance, this benign app became what’s known as a ‘dropper’ at a later stage. Droppers are malicious apps that silently download another app onto a device without the user’s knowledge. Later versions of the currency converter included a ‘dropper code’ but it still wasn’t activated initially, i.e. the command and control server (C&C) instructing the app wasn’t issuing any commands and so users wouldn’t see and download the malware. However in the last couple of days, Threat Labs noticed that a ‘command and control server’ issued a new command to download the additional malicious Android Application Package (APK) - the banker. " Ondrej David wrote in his blog post.
No comments:
Post a Comment