A large-scale banking malware campaign has already reached more than 300,000 Android OS users from apps available on the Google Play Store. Pests arrive disguised as common applications and focus on stealing financial credentials, using tactics that help to hide the fraud.

According to the alert issued by ThreatFabric, there are four pest families in action, one of which, alone, has already accumulated more than 200 thousand downloads since. Dubbed Anatsa, the malware uses Android’s accessibility services to stealthily record keystrokes and screenshots; the method also avoids the permission requests that are often detected by security platforms and more aware users.

Through a QR code reader alone, criminals were able to obtain more than 50,000 installations of the pest — Anatsa is also the family with the highest number of infections, with 200,000 download records from six malicious apps, which they also include document scanners and cryptocurrency quote tracking apps. According to researchers, the malware was initially discovered in January of this year, but its activity gained momentum in June.

Some of the malicious apps used to deliver malware through the Google Play Store; accessibility features were used to evade detection (Image: Disclosure/ThreatFabric)

Alien, the second-largest family to take part in the campaign, also appears to be the most sophisticated, being able to steal not only banking credentials but also two-factor authentication codes. Here, there were more than 95,000 installations, with an exercise monitoring app being the most popular and sophisticated, with the right to a website that helps give a greater appearance of legitimacy and also serves as a command server for the plague.

The Hydra and Ermac strains complete the campaign’s family tree, accumulating a sum of more than 15,000 downloads. In this case, ThreatFabric links the threat development to a cybercriminal gang known as Brunhilda, which has also been attacking Android OS users since late last year.

Escaping detection

All pests work similarly, using the platform’s accessibility systems to take screenshots, typed content and other information. Thus, they are also able to evade security software and even the distrust of the users themselves, as they do not need to request advanced permissions, often beyond the capabilities promised by the apps.

Once installed, the malware starts to communicate with control servers, sending information from the device, as well as the Android version and user geolocation data, which also allows specific regions to be targeted. The malicious exploit itself comes in the form of an update to the apps, with the promise of new features or information.

Brazil is not on the list of countries most affected by the campaign, but organizations operating here are among those targeted by malicious applications (Image: Divulgação/ThreatFabric)

The collected data is sent back to the criminals’ infrastructure, who now have access to the victims’ financial data. According to the alert, the first versions of the apps available on the Play Store did not have this malicious feature, while all effectively deliver the promised features, which helped to create a face of credibility before the launch of the scams.

The following applications were used by criminals to deliver malware. All have already been taken down by Google:

QR Scanner 2021;

QR CreatorScanner;

Master Scanner Live;

GymDrop;

Gym and Fitness Trainer;

PDF Document Scanner;

CryptoTracker;

Protection Guard;

PDF AI: Text Recognizer;

Flow Division.

According to experts, the main targets of attackers are the countries of Europe, the United States and Australia; the scams involving Hydra and Ermac also hit users in Asia and Latin America. Brazil does not appear on the list released by ThreatFabric, but the list of institutions and services targeted by the scammers include organizations operating in Brazil, such as Santander, Mercado Livre, Grupo Cajamar and Itaú, as well as services such as Gmail, Yahoo, Netflix and AliExpress.

Source: ThreatFabric