Security researchers have discovered several apps on the Google Play store harbouring the Bankbot app.
According to blog posts by SfyLabs and Zscaler, the apps are called 'Earn Real Money Gift cards' (package name: com.moneygift.real.app) and 'Bubble Shooter Wild Life' (package name: com.bubblesooter.wildlife). Both are by the same author. Both companies said they have told Google about the apps. At the time of writing, both apps were still available to download.
Researchers said that the first app contained Bankbot while the second contains a dropper, malware used to install other malware when instructed.
The second app, Bubble Shooter Wild Life, takes advantage of the Android Accessibility Service feature.
“Upon preliminary analysis of 'Bubble Shooter Wild Life', we were able to confirm it to be malicious and capable of abusing Android's Accessibility permission to install additional apps without user's permission,” said Gaurav Shinde, Android security researcher at Zscaler.
He said that the app was protected using Allatori Obfuscator.
“Most recent malware families have started using obfuscators, packers, and protectors to hinder analysis from security researchers and malware detection systems,” he said.
Shinde added that since most of the code strings were obfuscated, they decided to write a routine to decrypt all the strings and rebuild the APK. Once they got the strings in plain text, the analysis was straightforward.
Both sets of resarchers noted that the malware fails to work at different points, leading them to believe the malware is under development.
“It looks like the developer is still working on improving his dropper app. Any new update to the app (the last one was two days ago) can add an embedded APK which will be installed after the app is started,” said Wesley Gahr and Niels Croese of SfyLabs.
“With a simple campaign on social media the app can be spread rapidly, especially since the app appears to be a normal and fun game to the average user. As we have long expected droppers will probably become more common and be rented out as a service,” they added.
Marta Janus, malware researcher and reverse engineer at Cylance, told SC Media UK that organisations should educate employees not to install any untrusted software - or any unnecessary software at all - on the BYOD devices that they use to access corporate resources.
“In this particular case, the situation is a bit complicated, as the malicious application somehow managed to go through the Google evaluation, which - for many users - is enough to assume the software is legit,” she said.
“However, it's not the first time malware appears on Google Play store, and although it happens less often now, since vetting processes have been implemented, users should still be vigilant and think twice before they install applications on their corporate-connected devices, even if the source is official app store.”
Javvad Malik, security advocate at AlienVault, told SC media UK that a lot of these attacks are using newer obfuscation techniques to bypass Google's security checks.
“As their popularity will increase, it is likely that Google will increase the rigour of its checks to filter out such apps. While total security is not possible, the official Google play store should remain by and large a trusted repository,” he said.
