Banking trojans are one of the most significant headliners in the global threat landscape. You will often see that Google has banned a series of apps for malicious activities. Once done, these marked apps disappear, but another horde of similar camouflaged apps appears to hook victims until they come under the authority scanner. But how do they do this? And how did they achieve their malicious intent? We would try to explain the activities in simple terms.
What is a banking trojan?
For the uninitiated, banking trojans are a specific sort of malware intending to intercept smartphone-installed banking apps and text messages to obtain the victim’s banking login credentials to wipe off the account balance. Many banking trojans are capable of bypassing two-factor authentication systems through SMS. Besides extracting banking usernames and passwords, many banking malware also installs spyware and keylogger software. Many powerful banking trojans are taught to steal money from different mobile banking facilities via overlapping the interface, among other methods. Banking trojans often come in the disguise of legitimate utility apps.
The burgeoning list of banking trojans appearing on Google Play
As the owner of the second most popular operating system on earth, Google’s Threat Analysis Group (TAG) proactively detects and bans a plethora of apps frequently, even though the hoard of malware-ridden apps ushers in on the Android shore every day.
Bad actors usually target popular categories of apps such as photo and video editors, keyboards with new utilities and convenience, several system maintenance apps, social media apps, wallpaper and ringtone apps, and note-taking apps to distribute malware masquerading as authentic applications. And before Google’s TAG identifies their malicious activities and boots them out of the official Android App Store, they do the intended damage and change their cloak once apprehended.
Instead of carrying malware while installing, these dropper apps, once installed, download more potent and intrusive malware from a remotely held command-and-communication (C2) server on the victim’s device. The downloaded malware changes according to the lousy actor’s preference. Besides downloading the malicious payload from the pre-instructed server, the dropper executes several actions to take control of the device.
The most common among them are
Get Device Admin permissions
Modern malware intends to get the device admin permission to ensure they can execute any commands without the user’s knowledge and authentication.
Disabling Google Play protect
It is the most prevalent action that every sophisticated malware prefers to perform because, this way, they can stay away from radars.
Getting control of the screen overlay feature of a smartphone allows a perpetrator to trick the victim into executing an action the latter believes is beneficial for them. For the uninitiated, screen overlay is a feature that lets an app draw an extra view layer over other apps, and malicious apps commonly exploit the feature to attack users.
Once the perpetrator gets device admin access, they start uninstalling selective apps on the device that might obstruct their operation.
Spyware is an essential weapon for threat actors. Nation-state actors use them to gain an undue advantage over enemy nations’ financial, political, and social secrets. In contrast, money-motivated actors often use them to steal financial information, personally identifiable information (PII), user behaviour, etc. In the case of a baking trojan loader, spyware is immensely handy to snitch financial credentials by recording keystrokes and sometimes screen recording and taking screenshots.
The droppers also collect user data such as Android ID, phone number, installed apps, SMS messages, etc.
A checklist of safeguards
Threat actors lure Android users for various reasons, ranging from financial benefits to espionage on high-profile victims, creating backdoors on networks for lodging massive ransomware attacks on enterprises. Therefore, both individuals and employees of enterprises should embrace an extra degree of caution while dealing with Android apps.
K7 mobile security offers robust, multi-layered protection against all cyberattacks, including malware loaders, downloaders, trojans, phishing, ransomware, SMiShing, malicious websites, PUPs, and other malware. . However, besides installing our Android cybersecurity suite on your Android device, we recommend you practice the following actions to outsmart attacks aimed at you or your enterprise.
- Install all Android and security updates soon after they roll out. Android and device manufacturers’ security updates fix a series of vulnerabilities that the perpetrators could abuse.
- Avoid installing apps from third-party app stores, even though they sound tempting, offering free versions of premium apps. These apps deliver malicious payloads or cracked versions of authentic apps injected with malicious scripts.
- Use separate and complex passwords of over 12 characters for each app you have installed on your device. We recommend you install a password manager to manage passwords.
- Be cautious about clicking on links received via emails and social messaging apps. Many of them are intended to pursue phishing activities and take control of your device.
- Check the permissions you have granted and roll back the unnecessary ones.