Researchers have found a multitude of seemingly legitimate apps squatting in the Google Play Store that are hiding malicious secrets.
On Wednesday, antivirus software provider Dr. Web said that the applications were discovered in September and included banking Trojans, adware, spyware, and data stealers.
According to the team, the apps pretended to be legitimate services including games, utilities, photography software, and photo galleries.
The Android.Joker family was found to be embedded in Android utilities, camera plug-ins, and image editors, among other software.
Joker contains some of the typical functionality of a Trojan, including the installation of a backdoor to maintain persistence, the theft of sensitive handset and user data, and a particular proclivity towards stealing financial information.
See also: InnfiRAT malware lurks in your machine to steal cryptocurrency wallet data
However, the team says Joker is also able to automatically subscribe victims to premium mobile services without their knowledge.
“To confirm the subscription, they hook verification codes from text messages,” the team says. “The Android.Joker malware also transfers the data from victims’ contact lists to the command and control server.”
Another sample of note was the Android.Banker.352.origin banking Trojan, found within the YoBit cryptocurrency exchange app. When launched, the malware displays a fake authentication message within a window, asking users to input their credentials.
If a victim fell for the scheme, these credentials would be whisked off to a command-and-control (C2) server controlled by the Trojan’s operators and an error message would be displayed.
Android.Banker.352.origin is also able to monitor and steal two-factor authentication (2FA) codes from text messages and emails sent to infected handsets, thereby giving attackers all the information they need to compromise cryptocurrency wallets owned by victims.
Dr. Web added that the malware contains functionality allowing it to grab and block notifications from instant messaging software and email clients.
Another banking Trojan, dubbed Android.Banker.347.origin, was also spotted targeting Brazilian credit service customers.
Where this malware was found is of interest. The Trojan was embedded within an app called Encontre Mais, advertised as a means to locate family members. In reality, Android.Banker.347.origin leverages the Android Accessibility Service to steal sensitive data from handsets and a recent upgrade to the malware has also opened up the possibility of automatically displaying phishing websites.
CNET: Find a stolen laptop with free LockItTight service
Trojan downloaders, too, were not missing from the researcher’s findings. Samples including Android.DownLoader.920.origin and Android.DownLoader.921.origin were spread through Android gaming applications and on execution attempt to download further malware payloads.
Other malware samples harvested from Google Play include adware from the Android.HiddenAds family, mainly hidden within games and other software. After launch, the adware buries its icon and displays advertising banners, and may also attempt to download and install APK files.
The team found a variety of spyware apps, too, in Google Play. Spyware is malware designed not only to steal information including message content, contacts, and potentially GPS location data, but also enables remote control — including the monitoring of texts, phone calls, and online activity.
TechRepublic: 70% of businesses report Pass the Hash attacks directly impact operational costs
Dr. Web says that over September, new versions of spyware were uncovered in Android apps including Program.Panspy.1.origin, Program.RealtimeSpy.1.origin, and Program.MonitorMinor.
In related news last week, researchers from Czech Technical University, UNCUYO University, and Avast published research on a massive malware operation targeting Android users.
The scheme has been running since at least 2016 and combines both the “Geost” botnet and banking Trojans. It is believed up to 800,000 Android users have been impacted and data including names, handset information, and locations may have been stolen.
ZDNet has reached out to Google and will update if we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0