Malicious applications hosted on the Google Play Marketplace are trying a clever trick to avoid detection. They monitor the motion sensor input of an infected device before installing a powerful banking trojan to ensure that it is not loaded into the emulators that researchers use to detect attacks.
The thinking behind monitoring is that sensors on real end-user devices will record the movement as people use them. On the other hand, emulators used by security researchers – and possibly Google employees who track apps sent to Google Play – are less likely to use sensors. Two Google Play applications recently detected by dropping Anubis banking malware on infected devices would activate the payload only when the movement was detected first. Otherwise, the trojan would remain inactive.
Security firm Trend Micro found the motion-activated eyedropper in two applications – BatterySaverMobi, which had about 5,000 downloads, and Currency Converter, which had an unknown number of downloads. Google removed them after they discovered they were malicious.
Motion detection was not the only intelligent feature of malicious applications. After one of the applications installed Anubis on a device, the eyedropper used prompts and responses on Twitter and the Telegram to locate the required command and control server.
"So it's registered on the C & C server and checks the commands with an HTTP POST request," wrote Trend Micro researcher Kevin Sun. "If the server responds to the application with an APK command and attaches the download URL, the Anubis load will be discarded in the background. "The eyedropper tried to trick users into installing the application using the fake system update shown below:
Once Anubis was installed, it used an integrated keylogger that can steal the credentials of users' accounts. Malware can also get credentials by taking screen screenshots of infected users. Sun continued:
Our data shows that the latest version of Anubis has been distributed to 93 different countries and targets users of 377 variations of financial applications for farm account details. We can also see that if Anubis runs successfully, an attacker will have access to the contact lists and location. It would also have the ability to record audio, send SMS messages, make calls and change external storage. Anubis may use these permissions to send spam messages to contacts, device call numbers, and other malicious activity. Previous research by Quick Heal Technologies shows that Anubis versions work as a ransomware.
The researcher provided the following screenshot showing some of the financial applications that Anubis is targeting:
There are two topics in the report. The first is that the quality of malicious apps for Android is improving. The second is that Android users should continue to think carefully before downloading and installing applications on their devices. The intended benefit of both the removed applications was now minimal. It's best that people stick to a small number of well-known developer applications.