Between August and November 2021, four different Android Trojans spread through the official Google Play Store, resulting in the infection of more than 300,000 apps, masquerading as seemingly harmless utility apps to take full control of the infected device of.
Designed to provide Anatsa (aka TeaBot), Alien, ERMAC and Hydracyber securityCompany ThreatFabric said that these malware campaigns are not only more sophisticated, but also designed to have a smaller malicious footprint, effectively ensuring that the payload is only installed on smartphone devices and that it comes from being downloaded during the distribution process.
Once installed, these Trojans can use a tool called the Automated Transfer System (ATS) to secretly steal user passwords without the user's knowledge, and can even steal SMS-based two-factor authentication codes, keystrokes, and screens. Screenshots until the user's bank account is drained. These apps have now been removed from the Play Store.
The list of malicious applications is as follows:
- Two-factor authenticator (com.flowdivison)
- Protection Guard (com.protectionguard.app)
- QR CreatorScanner (com.ready.qrscanner.mix)
- Master Scanner Live (com.multifuction.combine.qr)
- QR Code Scanner 2021 (com.qr.code.generate)
- QR Scanner (com.qr.barqr.scangen)
- PDF Document Scanner – Scan to PDF (com.xaviermuches.docscannerpro2)
- Free PDF document scanner (com.doscanner.mobile)
- CryptoTracker (cryptolistapp.app.com.cryptotracker)
- Gym and fitness trainer (com.gym.trainer.jeux)
Earlier this month, Google restricted the use of accessibility permissions, but operators of such apps are increasingly improving their strategies in other ways, even if they are forced to opt for more traditional methods (via Apps installed in App Market) can also use malicious apps to capture sensitive information from Android devices.
Chief among these is a technique called versioning, in which a clean version of an application is uploaded first and then malicious functionality is gradually introduced in the form of subsequent application updates. Another tactic is to design a look-alike command and control (C2) website that matches the theme of the dropper application in order to bypass traditional detection methods.
Since June 2021, ThreatFabric has discovered six Anatsa implants in the Play Store that were altered to download "updates" and then prompt users to grant permission to install apps from unknown third-party sources and without Disability Services Authority.
[refer to]
https://thehackernews.com/2021/11/4-android-banking-trojan-campaigns.html
Original article, author: CNCSO, if reprinted, please indicate the source: https://cncso.com/en/over-300000-devices-attacked-by-4-android-trojans.html
