The dangerous Android banking trojan that we first informed about in the beginning of this year has found its way to Google Play again, now stealthier than ever.
Dubbed BankBot, the banking trojan has been evolving throughout the year, resurfacing in different versions both on and outside Google Play. The variant we discovered on Google Play on September 4, is the first one to successfully combine the recent steps of BankBot’s evolution: improved code obfuscation, a sophisticated payload dropping functionality, and a cunning infection mechanism abusing Android’s Accessibility Service.
Misuse of Android Accessibility has been previously observed in a number of different trojans, mostly outside Google Play. Recent analyses from SfyLabs and Zscaler have confirmed that the crooks spreading BankBot managed to upload an app with the Accessibility-abusing functionality to Google Play, only without the banking malware payload.
The “complete puzzle” featuring the banking malware payload managed to sneak into Google Play masqueraded as a game named Jewels Star Classic (it is important to note that the attackers misused the name of popular legitimate game series Jewels Star by the developer ITREEGAMER, which is in no way connected to this malicious campaign).
“The malicious apps have been able to conceal themselves by hiding on Google Play and leveraging techniques like time delays and code obfuscation. At this point, the apps are fairly new to the Play store with fewer than 5,000 downloads. However, there is a concern around the increase in availability of dubious apps online,” Zscaler warns.
El Reg asked Google to comment on the incident, in particular the suggestion that crooks had figured out a way to smuggle malicious code past its security controls, but have not yet received a response.
The latest Android security kerfuffle highlights the need for consumers to be careful about downloading applications, even if they come from the official Google store.
App alerts generated by Google can sometime be wrong. For example, last weekend OnePlus phones started having Google Play flag a preinstalled system app as malicious. “GPIO Switch” generated an apparently false alert. In a response to a thread on its forum, OnePlus said it was chasing the issue. Since the snafu related to a system app, users would be unable to manually uninstall it, even if they wanted to.