Sneaky Multi-Stage Android Malware Spreads Banking Trojans in Google Play

Written by

Another set of malicious mobile apps has made it into the official Google Play app store, which are notable thanks to their multi-stage architecture and the encryption they use to stay under the radar.

Detected by ESET security systems as Android/TrojanDropper.Agent.BKY, these apps form a new family of multi-stage Android malware, which use a delayed onset of malicious activity to masquerade as legitimate—there are no immediate red flags for the user to look for, in other words. After being downloaded and installed, these apps do not request any suspicious permissions and they even mimic the activity the user expects them to exhibit.

In the background though, they execute a second-stage payload that contains a hardcoded URL, from which it downloads a third-stage payload without the victim’s knowledge.

After a pre-defined delay of approximately five minutes, the user is prompted to install the third-stage downloaded app, which purports to be well-known software like Adobe Flash Player—or, something “legitimate-sounding yet completely fictional,” ESET researchers explained, such as “Android Update” or “Adobe Update”.

In any case, this app’s purpose is to obtain all the permissions that the final payload needs for its malicious actions. After that, it then decrypts and executes the fourth and final payload—typically a mobile banking trojan, which presents the user with fake login forms to steal credentials or credit-card details.

ESET discovered eight apps in the family on Google Play (Google has removed them). In terms of propagation, one of the malicious apps downloads its final payload using the URL shortener, which ESET found had been used almost 3,000 times with the vast majority of hits coming from the Netherlands.

“Unfortunately, multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware does,” researchers said. “Users who want to stay protected should not rely fully on the stores’ protections; instead, it’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps and run a quality security solution on their mobile devices.”

What’s hot on Infosecurity Magazine?