Banking Trojans continue to surface on Google Play

The malicious apps have all been removed from the official Android store but not before the apps were installed by almost 30,000 users

The malicious apps have all been removed from the official Android store but not before the apps were installed by almost 30,000 users

Malware authors keep testing the vigilance of Android users by sneaking disguised mobile banking Trojans into the Google Play store. We’ve recently analyzed a set of 29 such stealthy Trojans, found in the official Android store from August until early October 2018, masquerading as device boosters and cleaners, battery managers and even horoscope-themed apps.

Unlike the increasingly prevalent malicious apps relying purely on impersonating legitimate financial institutions and displaying bogus login screens, these apps belong to the category of sophisticated mobile banking malware with complex functionality and a heavy focus on stealth.

These remotely controlled Trojans are capable of dynamically targeting any apps found on the victim’s device with tailor-made phishing forms. Aside from this, they can intercept and redirect text messages to bypass SMS-based two-factor-authentication, intercept call logs, and download and install other apps on the compromised device. These malicious apps were uploaded under mostly different developer names and guises, but code similarities and a shared C&C server suggest the apps are the work of a single attacker or group.

Figure 1 – Examples of the banking Trojans found on Google Play

The 29 malicious apps have all been removed from the official Android store in the meantime after ESET and fellow researchers notified Google of their malicious nature. Before being pulled from the store, however, the apps were installed by almost 30,000 users in total.

How do they operate?

Once launched, the apps either display an error claiming they have been removed due to incompatibility with the victim’s device and then proceed to hide themselves from the victim’s view, or deliver the promised functionality – such as displaying horoscopes.

Figure 2 – A fake error message displayed by one of these Trojans upon launch

Regardless of which of the preceding activities one of these apps displays, the main malicious functionality is hidden in an encrypted payload located in each app’s assets. This payload is encoded using base64 and then encrypted with an RC4 cipher using a hardcoded key. The first stage of the malware’s activity is a dropper that initially checks for the presence of an emulator or a sandbox. If these checks fail, it then decrypts and drops a loader, and a payload that contains the actual banking malware. Some of the apps we analyzed contained more than one stage of such encrypted payloads.

Figure 3 – Emulator checks

The functionality of the final payload is to impersonate banking apps installed on the victim’s device, intercept and send SMS messages, and download and install additional applications of the operator’s choice. The most significant feature is that the malware can dynamically impersonate any app installed on a compromised device. This is achieved by obtaining the HTML code of the apps installed on the device and using that code to overlay legitimate apps with bogus forms once the legitimate apps are launched, giving the victim very little chance to notice something is amiss.

How to stay safe

Fortunately, these particular banking Trojans (the full list can be found in the IoCs section) do not employ advanced tricks to ensure their persistence on affected devices. Therefore, if you suspect you have installed any of these apps, you can simply uninstall them under Settings > (General) > Application manager/Apps.

We also advise you to check your bank account for suspicious transactions and consider changing your internet banking password/PIN code.

To avoid falling victim to banking malware, we recommend that you:

  • Only download apps from Google Play; this does not ensure the app is not malicious, but apps like these are much more common on third-party app stores, where they are rarely removed once uncovered, unlike on Google Play
  • Make sure to check the number of downloads, app ratings and the content of reviews before downloading apps from Google Play
  • Pay attention to what permissions you grant to the apps you install
  • Keep your Android device updated and use a reliable mobile security solution; ESET products detect and block this threat as Android/TrojanDropper.Agent.CIQ.

Special thanks to Nikolaos Chrysaidos for bringing some of these malicious apps to our attention.

Indicators of Compromise (IoCs)

App namePackage nameHashInstalls
Power Managercom.puredevlab.powermanager7C13ADEFC2CABD85AD8F486C3CBDB6379811A09710+
Astro Plus com.astro.plus24D2ED751A33BD965A01FA87D7A187D14D0B08490+
Master Cleaner - CPU Booster bnb.massclean.boost101DA4333A26BC6D9DFEF6605E5D8D10206C0EB45,000+
Master Clean - Power Booster mc.boostpower.lfE5DC8D4664167D61E5B4D83597965253A8B4CB3B100+
Super Boost Cleaner cpu.cleanpti.clo33D59A70363857A0CE6857D201B764EF3E8194DD500+
Super Fast Cleanersuper.dupclean.comE125AC53050CAFA5A930B210C8168EA9ED0FD6F1500+
Daily Horoscope For All Zodiac Signs ui.astrohoro.t2018C3C45A7B3D3D2CB73A40C25BD4E83C9DA14F2DEA100 +
Daily Horoscope Free - Horoscope Compatibility com.horochart.ukCD5817AB3C2E4AE6A18F239BDD51E0CC9D7F6E25500+
Phone Booster - Clean Master ghl.phoneboost.com9834B40401D76473D496E73884947D8A9F1920B31,000+
Speed Cleaner - CPU Cooler
Ultra Phone Booster ult.boostphone.pb 6156081484663085B4FC5DEAEBF7DA079DD655C31,000+
Free Daily Horoscope 2019 fr.dayy.horos 4E7F12F07D052E7D1EFD21CD323D8BAD9A79933B50+
Free Daily Horoscope Plus - Astrology Online com.dailyhoroscope.freec0be22c44e5540322e0ffbf3a6fe18ce0968d3b51,000+
Phone Power Booster pwr.boost.proFCB8E568145AF2B6D8D29C0484417E51DD25717F1,000+
Ultra Cleaner - Power Boost ua.cleanpower.boostCB37C8C44750874BA61F6F95E7A7C29073CB51DC50+
Master Cleaner - CPU Booster bnm.massclean.boost 63E1C18D87F41ABF9956FC035D29D3C2890453EE5,000+
Daily Horoscope - Astrological Forecast gmd.horobest.ty90f41c64b3ab3f3b43e9d14b52f13143afb643da1,000+
Speed Cleaner – CPU Cooler
Horoscope 2018 com.horo2018i.upc8dc0e94f38556cd83ca6a693fa5b6d7ae3957f71,000+
Meu Horóscopo my.horoscop.br92808ca526f8e655d8fa8716ab476be4041cd5051,000+
Master Clean - Power Booster mc.boostpower.cfab88a93b0e919e5e07cf867f4165f78aa77dc40350+
Boost Your Phone boost.your.phone5577c9131f026d549a38e3ce48c04a323475927e1,000+
Phone Cleaner - Booster, Optimizer phone.boost.glh 988AB351549FEB2C1C664A29B021E98E3695A18A1,000+
Clean Master Pro Booster 2018 pro.cleanermaster.izb9d32241d169dfd4ca5674dffa357796b200bc2f10+
Clean Master - Booster Pro bcb9ef41fea8878eb10f4189dd55bfe1d03a64b35,000+
BoostFX. Android cleaner fx.acleaner.e2018 99bff493d201d42534eec9996fd0819a50+
Daily Horoscope day.horocom.ww 971a0cf208f99c259966b20aa10380c11,000+
Daily Horoscope com.dayhoroscope.en25e95b32832a491108835b382c4f14aa1,000+
Personal Horoscope horo.glue.zodnow 0dcaf426bbc3b484aa4004f5c8e48a191,000+

You might also be interested in the following articles:

Fake finance apps on Google Play target users from around the world

Fake banking apps on Google Play leak stolen credit card data

Android users: Beware these popularity-faking tricks on Google Play

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center