Twelve infected apps, regularly on the Play Store and downloaded more than 300,000 times. This is what some security researchers from the ThreatFabric group have found. The good news is that Google has already stepped in. putting a patch on it.
What makes the apps particularly insidious is above all the mechanism chosen to inoculate the Trojan: applications are originally fully functional and clean, since the virus is not present in the code but is downloaded later.
The apps were loaded “clean” in the Play Store and then infected later
After a few days of use, in fact, from within the app comes the request to download updates to continue using the app. During this update phase, the Trojan was downloaded which aimed to steal passwords, PINs and authentication codes of bank accounts.
In some cases the attacks were so selective as to install the malware, always with the mechanism of bogus updates, only on the smartphones of users in certain geographic areas, leaving out those of geographic areas not considered interesting.
“This incredible focus on avoiding unwanted attention makes automated malware detection much more difficult“Declared one of the researchers”Even analyzing the apk with VirusTotal did not detect anything abnormal“.
Two fitness apps had more than 300,000 downloads
The malware installed by these applications is called Anatsa and, among other functions, guarantees remote access and automated file sending from the victim’s smartphone.
In addition, other types of malware such as Alien, Hydra, Ermac and Gymdrop, always of the same type as Anatsa, were detected. All malware used the fake update mechanism.
So far, researchers have discovered twelve infected apps that Google has already removed. Specifically, they are called Two Factor Authenticator, Protection Guard, QR CreatorScanner, Master Scanner Live, QR Scanner 2021, QR Scanner, PDF Document Scanner – Scan to PDF, PDF Document Scanner, PDF Document Scanner Free and CryptoTracker.
The bulk of the downloads, however, involved two fitness apps, both called Gym and Fitness Trainer. In this case it was easy to gain users’ trust by asking them to download new exercises. THEThe total count of the downloads passes 300 thousand even if, as we have seen, not all the downloads then led to the activation of the trojan.
Even if the security researchers have no reliable data, it is very likely that given the particular modus operandi of the attackers, infected apps of this type are still circulating.
The advice they provide is to be very cautious about downloading an app, especially if the number of downloads is low, and try to rely on known solutions as much as possible.