Four Android banking Trojans infected more than 300,000 devices in 2021

Four Android banking Trojans infected more than 300,000 devices in 2021
San Francisco, Dec. 2, 2021
Between August and November 2021, four different Android banking Trojans infected more than 300,000 devices . In doing so, they used multiple dropper apps that posed as harmless utilities to then take full control of the infected devices.
According to cybersecurity firm ThreatFabric, the malware campaigns designed to spread Anatsa (also known as TeaBot), Alien, ERMAC and Hydra are not only more sophisticated, but also designed to leave only a small malicious footprint by ensuring that the payloads are only installed on smartphones from specific regions and preventing the malware from being downloaded during the release process.
Once installed, these banking Trojans can secretly intercept passwords and SMS-based two-factor authentication codes, keystrokes, screenshots, and even empty users‘ bank accounts without their knowledge using a tool called Automatic Transfer System (ATS). The apps have since been removed from the Play Store.

The list of malicious dropper apps:
– Two-Factor Authenticator (com.flowdivison).
– Protection Guard (com.protectionguard.app)
– QR CreatorScanner (com.ready.qrscanner.mix)
– Master Scanner Live (com.multifuction.combine.qr)
– QR Scanner 2021 (com.qr.code.generate)
– QR Scanner (com.qr.barqr.scangen)
– PDF document scanner – scan to PDF (com.xaviermuches.docscannerpro2)
– PDF document scanner free (com.doscanner.mobile – cryptoTracker (cryptolistapp.app.com.cryptotracker)
– Gym and Fitness Trainer (com.gym.trainer.jeux).

While Google introduced restrictions earlier this month to limit the use and access permissions that allow malicious apps to intercept sensitive information from Android devices, the operators of such apps are increasingly refining their tactics by other means, even if they are forced to take the more traditional route of installing apps through the app marketplace.
The most important of these techniques is so-called versioning, where clean versions of the apps are uploaded first and the malicious features are introduced gradually in the form of subsequent app updates. Another tactic involves designing similar-looking command-and-control (C2) websites that match the dropper app’s theme to evade traditional detection methods.
ThreatFabric detected six Anatsa droppers in the Play Store since June 2021. The apps are programmed to download an „update“ followed by a request for users to grant the dropper access rights and permission to install apps from unknown third-party sources.
Brunhilda, a threat actor discovered in July 2021 spreading a remote-access Trojan called Vultur, used Trojanized apps posing as QR code creation apps to spread Hydra and ERMAC malware targeting users in the U.S., a market not previously targeted by the two malware families.
Finally, a fitness workout dropper app with over 10,000 installs was found under the name GymDrop, which disguised the alien banking Trojan as a „new pack of workout exercises,“ while the supposedly legitimate developer website also served as a C2 server to retrieve the configuration needed to download the malware.
„To make their detection more difficult, the actors behind these dropper apps manually activate the installation of the banking Trojan on an infected device only when they are looking for more victims in a specific region of the world,“ the researchers said. „This makes automated detection much more difficult for any organization.“