DecryptedTech

Tuesday05 July 2022

The State of Banking and Financial Malware on Google’s Play Store is Just Bad


Reading time is around minutes.

It looks like there has been another round of malware identified on the Google Play sore and, you guessed it, the majority is focused on banks and other financial institutions. The combination of apps found totals around 515,000 downloads. 500,000 of these downloads are being attributed to a new trojan dubbed Octo and appears to be distributed via fake apps uploaded to the Google Play store.

Octo, according to current research, is related to ExobotCompact which is a lite version of Exobot. It could represent a simple rebranding or an attempt to evolve a new strain from the former. Like most malware pushed via the Google Play app store, Octo uses apps that appear useful on the surface. These are mostly screen capture and security/performance tools, but there are a few that appear to be fake versions of the play store itself. The developers behind Octo push their wares using links to the play store and fake pages that scare the user into downloading an update. These tactics are also common on the desk/laptops although there are more sophisticated tools to detect and stop malicious pages and downloaders apps like the ones used by Octo.

Once the downloader is safely installed on the device it urges the user to grant it permissions to do its job. As with many Android focused malware, the permission are to the device owning Accessibility Services. Once a user has granted that permission, the malware goes to work logging keystrokes, capturing screenshots, performing overlay attacks, initiating and confirming fraudulent transaction, capturing credentials and contacts, you know the thing.

Octo is not the only nasty surprise in the Play Store though as it also seems that SharkBot has made a minor return with several fake anti-malware apps found in the store that act as downloaders for the credential stealing malware. SharkBot, like Octo and others, also takes advantage of the Accessibility Services in Android to do it job. SharkBot is a bit different though as it also takes advantage of the message replay feature to send out additional phishing messages to contacts found on an infected devices as an additional form of distribution (after all sharing is caring).

Google has a true issue on their hands as more and more malware is found targeting their Accessibility Services and there is no real answer to the threat at this stage. Google is working on one and have taken steps to help reduce the chance of malicious apps making it into the store, but those are not fully in place, and they are also not comprehensive enough to truly prevent the threat. In fact, the group AppCensus found 11 apps with more than 46 million installations that contained the Coelib SDK that allows for concerning data collection about the device. The data collected include clipboard, Location data, phone numbers, and connected network information (SSIDs, MAC addresses etc.).

The fix for these items is increased awareness on the part of users, check the permissions of apps you are installing, better controls and gates for the play store from Google, and an increased focus on next gen anti-malware solutions for mobile devices in the consumer market. The lack of a good anti-malware solution is more than a bit surprising since the mobile devices represents the largest BYOD footprint at the company level and given how prevalent credential stealing malware is, this simply should not be the case.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.