A new banking trojan recently entered the Google Play Store by abusing Android’s Accessibility Service and infected up to 5,000 Android device users.
The BankBot trojan steals financial details of Android device users by pretending to be Google Play itself.
Google Play Store's anti-malware programmes and filtering mechanisms have grown stronger in the past year, but so have new malware and banking trojan variants whose creators continue to stay a step ahead of Google's best malware detection software.
Researchers at ESET recently discovered that a powerful banking trojan- BankBot- made its return to the Play Store after it was kicked out by Google earlier this year. While the new trojan variant retains its capabilities, including stealing financial data of Android device users by masquerading as Google, the method of its intrusion on the Play Store is far more sophisticated compared to its predecessors.
According to the researchers who discovered the new BankBot trojan variant, it is 'the first one to successfully combine the recent steps of BankBot’s evolution: improved code obfuscation, a sophisticated payload dropping functionality, and a cunning infection mechanism abusing Android’s Accessibility Service.
The apps containing BankBot were removed from the Play Store after ESET researchers notified Google about the presence of the trojan.
How does BankBot enter Android devices?
Hackers behind the BankBot trojan have developed a duplicate version of Jewel Star Classic, a popular Android game, and are including the trojan as part of the app's download package.
The trojan is included as a service but isn't triggered instantly so as to evade Google's malware detection programmes. Instead, hackers behind the operation have introduced a 20-minute delay before the service triggers and launches a pop-up window, asking the user to enable 'Google services'.
If the user clicks OK, he is directed to the Accessibility Settings menu and is asked by the service to turn on 'Google services' which is, in fact, the malware’s accessibility service disguised as a Google service. To make the process look more genuine, hackers behind the malware make the user view detailed Privacy & Terms (which is copied from Google's website).
Once access permissions are given by the user, the trojan proceeds to perform its basic functions like stealing financial data belonging to users by pretending to be Google Play itself. It can also install apps from other sources, activate device administrator for BankBot, set BankBot as default SMS messaging app and obtain permission to draw over other apps.
Is this a new malware intrusion technique?
While the technique employed by hackers behind the BankBot intrusion is relatively new, it has been successfully employed by other hackers before. In fact, the intrusion technique was also used by hackers in August who created fake ‘Earn Real Money Gift Cards’ and ‘Bubble Shooter Wild Life’ apps to mask the malware's presence.
These two apps were uncovered by researchers at security firm Zscaler and then reported to Google who removed them promptly. However, just like the researchers had feared, new malware and trojans are still able to infiltrate the Google Play Store by utilising the same intrusion technique.
In September, researchers at security firm Check Point also uncovered as many as 50 Android apps on the Google Play Store that contained a malware named 'ExpensiveWall'. The malware installed itself on millions of Android devices by hiding inside seemingly harmless Android apps and then obtained permission from users to access their Internet and SMS.
Hackers behind ExpensiveWall encrypted malicious code while including the malware in Android apps, thereby avoiding detection by Google Play’s built-in anti-malware protections. Even though the apps are no longer in play, the malware continues to be present on user devices and remains a threat to millions of users.