Malware Evades Detection One Step at a Time

Written by

Malicious code was lurking about in two different apps within the Google Play store, according to researchers at Trend Micro who have disclosed that they discovered a banking Trojan in what seemed like legitimate apps.

Both the currency converter and the battery-saving app have been removed from Google Play, but not before they were downloaded thousands of times. The battery app, BatterySaverMobi, even had 73 reviews resulting in a 4.5 star rating, making it appear all the more legitimate.

“We looked into this campaign and found that the apps dropped a malicious payload that we can safely link to the known banking malware Anubis (detected by Trend Micro as ANDROIDOS_ANUBISDROPPER ). Upon analysis of the payload, we noted that the code is strikingly similar to known Anubis samples. And we also saw that it connects to a command and control (C&C) server with the domain aserogeege.space, which is linked to Anubis as well,” researchers wrote.

The apps were reportedly able to evade detection by using the device's motion sensor data.

The malware authors assume that the device is scanning for malware, so they created an emulator with no motion sensors that monitors the user’s steps so that they check for sensor data to determine whether the app is running in a sandbox environment. If it is, the malicious code does not run.

If it does run, though, the user receives a fraudulent prompt, alerting them that a system update is available.

“Here’s more proof that criminals are following users to mobile devices and investing more time and effort in attempting to exploit them. As hard as organizations might work to secure their customers’ mobile experiences, attackers work just as hard to innovate and find ways to take advantage,” said Sam Bakken, senior product marketing manager, OneSpan.

“This is why it’s imperative to give app developers a leg up with one-stop mobile app security tools that allow them to build security into mobile apps from the start, which will save them time and effort and save financial institutions and other purveyors of high-value mobile services money in terms of reduced fraud and maintaining consumer trust in their brand. In addition, meeting attackers’ innovations with mobile app security innovations such as App Shielding – which proactively detects and defends against a variety of nefarious activities executed by mobile banking Trojans such as this one – is another step in the right direction for what will be an ongoing battle.”

What’s hot on Infosecurity Magazine?