Four Banking Trojan Campaigns Targeted Over 300,000 Android Devices in 2021

Colin Thierry
Colin Thierry Writer
Colin Thierry Colin Thierry Writer

Hackers circumvented the Google Play Store to distribute four separate Android banking Trojans between August and November, cybersecurity firm ThreatFabric reported. The malware infected more than 300,000 Android devices through dropper apps that posed as harmless utility apps in order to fully control the infected devices.

ThreatFabric said that these refined Trojan malware campaigns are designed to have a small malicious footprint, which ensures that only smartphone devices from specific regions are infected and prevents the malware from being downloaded during the publishing process. These campaigns are designed to deliver Anatsa (aka TeaBot), Alien, ERMAC, and Hydra malware specifically.

In early November, Google introduced limitations to restrict the use of accessibility permissions — this is what allows malicious apps to access personal information from Android devices. However, hackers are always changing their tactics to adapt and slip past Google’s protections to install apps through the app store.

Threat Actor Techniques

ThreatFabric discovered six Anatsa droppers on the Google Play Store since this past June. With this malware, the apps are programmed to download an “update”, which is followed by prompting users to allow it permissions to install apps and Accessibility Service privileges.

The threat actor Brunhilda also used trojanized apps posing as QR code creator apps in order to target users in the US with Hydra and ERMAC malware, according to ThreatFabric. The US market had previously not been targeted by these two malware families. Brunhilda was also discovered delivering a remote access trojan named Vultur this July.

Finally, a fitness training dropper app with over 10,000 installations named GymDrop was found delivering the Alien banking trojan while masking it as a “new package of workout exercises,” ThreatFabric said.

“To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world,” the researchers said. “This makes automated detection a much harder strategy to adopt by any organization.”

About the Author

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.

Leave a Comment