It was found out that a few Google Play apps disguised as a useful tools (named Currency Converter and BatterySaverMobi) drop the wide-reaching banking malware, called Anubis Malware.
The researcher from the Trend Micro security company, Kevin Sun stated in his blog post that the battery app was downloaded more than 5000 times, had a rating of 4.5 stars from 73 reviewers (which after a closer look turned out to be not valid, lacking common sence and logic), before Google took down the app. There is no information about the install number of the currency converter app.
Google Play has confirmed that the apps were deleted from the store after the discovery.
In his blog post Kevin reports that both fraudulent apps attempt to determine whether or not it is safe for them to run their code upon download. Based on the motion sensor data, apps know if the device is being moved around. If the device isn’t moving, the app assumes that it may have infected researcher’s sandbox environment, which doesn’t generate motion sensor data, and if that’s the case the command to start the malicious activity is issued.
However, if the device is being moved around, the app tries to persuade users into updating their system which in reality is the Anubis payload.
According to Sun, revealed payload code is very similar to Anubis samples and it also connects to a domain server aserogeege[.]space, which is linked to Anubis. Researchers also found another 18 domains that map to the same IP addresses, and confirmed that Anubis uses the sub-path of this domains. These domains switch IP addresses six times since October 2018, which shows the insane activity of the particular campaign.
Trend Micro says that the latest version of Anubis software is spread to 93 different countries while targeting 377 financial apps. The software steals the account data by making screenshots and recording the users’ keystrokes. Its other functions are audio recording, reading and sending SMS messages, making calls and collecting contact lists.