Banking malware back in Play Store

An Android banking trojan that was first reported by ESET earlier this year has found its way to Google Play, now stealthier than ever.

Dubbed BankBot, the banking trojan has been evolving throughout the year, resurfacing in different versions on and outside Google Play. The variant ESET discovered on Google Play in early September 2017, is the first one to successfully combine the recent steps of BankBot’s evolution: improved code obfuscation, a sophisticated payload dropping functionality, and a cunning infection mechanism abusing Android’s Accessibility Service.

Misuse of Android Accessibility has been previously observed in many different trojans, mostly outside Google Play. Recent analyses have confirmed that the crooks spreading BankBot managed to upload an app with the Accessibility-abusing functionality to Google Play, only without the banking malware payload.

The “complete puzzle” featuring the banking malware payload that manged to sneak into Google Play masqueraded as a game name Jewels Star Classic (it is important to note that the attackers misused the name of popular legitimate game series Jewels Star by the developer ITREEGAMER, which is in no way connected to this malicious campaign).

ESET has notified Google’s security team of the malicious app, installed by up to 5000 users before getting removed from the store.

What makes it dangerous?

In this campaign, the crooks have put together a set of techniques with rising popularity among Android malware authors – abusing Android Accessibility Service, impersonating Google, and setting a timer delaying the onset of malicious activity to evade Google’s security measures.

The techniques combined make it very difficult for the victim to recognise the threat in time.  Because the malware impersonates Google and waits for 20 minutes before displaying the first alert, the victim has very little chance to connect its activity to the Jewel Star classic app they have recently downloaded. On top of that, the many different names the malware uses throughout the infection process significantly complicate efforts to locate and manually remove it.

How to clean an infected device

If you are downloading many different apps from Google Play and elsewhere, you might want to check if you haven’t reached for this malware.

Checking your device for Jewel’s Star Classic is not enough, as the attackers frequently change up the apps misused for BankBot’s distribution. To see if your device has been infected, we recommend you go after the following indicators:

• Presence of an app named “Google Update”
• Active device administrator named “System Update”
• Repeated appearance of the “Google Service” alert

If you can’t find any of the mentioned indicators, your device may well have been infected with this BankBot variant.

To manually clean your device, you would first need to disable device administrator rights for “System Update”, then proceed uninstalling both “Google Update” and the associated trojanised app.

ESET security products detect and block this variant of BankBot as Android/Spy.Banker.LA. 

How to stay safe?

Besides using a reliable mobile security solution, there are other things you can do to avoid falling victim to mobile malware:

• Whenever possible, favour official app stores over alternative ones. Although not flawless, Google Play does employ advanced security mechanisms, which doesn’t have to be the case with alternative stores
• When in doubt about installing an app, check its popularity by number of installs, ratings and content of reviews
• After running anything that you’ve installed on your mobile device, pay attention to what permissions and rights it requests. If an app asks for intrusive permissions – even more so if Accessibility related, read them with caution and only grant them if absolutely sure of the apps reliability.