Well over the past four months, cybercriminals have recently implemented nearly 300,000 banking trojans in the official Android application store, despite Google Play app restrictions.
These threat groups have refined their capabilities to use Google Play to spread banking trojans, according to Threat Fabric researchers, by reducing the size of their dropper apps, reducing the number of authorizations they ask for, improving the overall quality of the intrusion with better code, and setting up persuasive companion websites.
Droppers are programs that operate as first-stage infections, fetching and installing other, more advanced payloads — in this case, banking trojans. According to the research, cybercriminals used their creativity to get these onto Google Play: A dropper app masquerading as a fitness program, along with a fully functional back-end website.
To make themselves far harder to identify, the attackers behind these dropper apps only manually initiate the deployment of the banking trojan on an infected machine. This makes automated detection a considerably more difficult method for any firm to adopt.
According to the research, four malware families were responsible for the 300,000 banking trojan dropper installations: Anatsa (200,000+ installs), Alien (95,000+), and Hydra/Ermac (15,000+).