Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Google Play boots fake apps that spy on devices’ motion sensor data before dropping Anubis malware

A fake currency converter and a phony battery utility program are among the latest fraudulent apps to be expunged from Google Play, according to researchers who discovered they were infecting users with a version of the Anubis banking malware family.

Both fraudulent apps employ a crafty technique to determine whether it is safe for them to run their malicious code upon download, Trend Micro reports in a Jan. 18 company blog post. They seek out an infected device's motion sensor data to determine if the device was being moved around.

If the data suggests that the device has remained stationary, the app assumes that it may have infected a researcher's sandbox environment, which does not generate motion sensor data. In that case, it issues a "kill" command to cease its malicious activity.

On the other hand, if the device has been moving around, then the app attempts to trick users into installing a pretend system update that in reality is the Anubis payload.

In the blog post, Trend Micro researcher Kevin Sun notes that the battery app, BatterySaverMobi, was downloaded more than 5,000 before Google was alerted to the program and banished the fake apps. It is not stated how many times the other app, named Currency Converter, was installed.

An analysis of the payload revealed code "strikingly similar" to Anubis samples, Sun says in the report. "And we also saw that it connects to a command and control (C&C) server with the domain aserogeege.space, which is linked to Anubis as well."

Researchers also found 18 other malicious domains that map to the same malicious IP addresses, "and we confirmed that Anubis uses the subpath of these domains," Sun continues. "These domains change IP addresses quite frequently and may have switched six times since October 2018, showing just how active this particular campaign is."

Anubis steal users' account credentials for various apps by secretly recording their keystrokes and taking screenshots of their devices. Trend Micro says this latest version of Anubis has made it way to 93 different counties while targets 377 variations of financial apps. Additionally, it's capable of collecting contact lists, recording audio, sending SMS messages, making calls and altering external storage.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.