For the third time this year, Google Play Store has been unintentionally distributing malware. This particular malware, Bankbot, appeared in the app store in April this year, but was swiftly removed. It then resurfaced in September, before being removed again. It has now managed to return to the store for the third time.
The malware itself is designed to harvest victims banking and payment information. It carries the ability to identify many different existing financial and banking apps. Once identified, it then tailors a phishing attack specifically for the app the victim uses. By using an overlay page that looks exactly like the banking app’s login page, they’re able to trick people into giving up their details.
The newest addition of Bankbot was discovered by researchers at RiskIQ. It’s disguised as an app called ‘Crypto currencies market prices’ – which also comes with a ‘Verified by Play Protect’ logo to make it seem like a trusted source. To a normal customer, this looks like a legitimate app.
Image from RiskIQ
The rogue app is clever in that it’s not just an empty shell, it does operate as an app that actually works. If you were to download it from the Play Store, you would be able to monitor the prices of Crypto currencies. By masking itself as a legitimate and working app, it bolsters it’s disguise and increases the chances of the hackers achieving their goals.
The method used to bypass the security protocols and application vetting is yet to be disclosed, but the malicious app was downloaded thousands of times before it was removed. This comes in the wake of Google Play Store recently displaying a fake version of WhatsApp that was downloaded over one million times.
How can you tell if your phone is infected by a malicious app?
Unrecognised charges on your phone bill: Malicious applications are renowned for making money by sending premium rate text messages or making premium rate phone calls. By giving app’s permission to use different parts of your phone, they may be taking advantage without your knowledge.
Invasive adverts/pop-ups: If you’ve noticed invasive adverts on your smartphone, it’s possible that you may be infected with adware. Whilst this doesn’t necessarily mean you have a ‘virus’ it can become an annoyance.
Friends/family are receiving strange messages from you: If people you know are complaining about receiving odd messages from your telephone number/email address, it’s possible you may be being used to send out spam messages.
Certain applications are consuming large amounts of data: Often seen among malicious applications is their need to ‘phone home’ by having access to the internet. Most smartphones will have an area in their settings dedicated to breaking down the individual data usage of each app. Keep an eye out for applications you wouldn’t expect to see on the list, for example if your calculator is accessing the internet there is a fair possibility that its doing more than it should be.
Reduced battery life: If your phone is experiencing a sudden reduction in battery life then it means you could be hosting a virus. It’s not always the case, but viruses have been known to result in increased battery consumption. If you’ve installed any new apps then you should be wary and check online for signs that it may be malicious software.
Whilst some of the points above may just be a result of a buggy or badly written app, it’s still worth being wary. The extra caution and diligence is worth it when you’re not being defrauded out of your hard earned money. Google aren’t the only ones that have inadvertently delivered malware recently; Crunchyroll, the popular anime streaming service were for a short time offering malicious downloads alongside their cartoons. You can read more about that here.
We recently discovered an app in the Google Play Store called “Cryptocurrencies Market Prices.” On the surface, the app delivers what it promises, timely information for people who engage in cryptocurrency marketplaces. However, the price users don’t realize they’re paying is the keys to their financial accounts. Cryptocurrencies Market Prices belongs to the Bankbot family of mobile Trojan, which uses the overlay technique within a variety of financial and retail mobile apps to phish for sensitive data.