How Hackers Trick 300,000 Android Users Into Downloading Malware to Steal Passwords

A recent report by cybersecurity company ThreatFabric shows that more than 300,000 Android users have installed Trojan horses that secretly steal their banking information. Although the apps have been removed and deactivated by Google, developers have used unique techniques to deploy malware that all Android users should be wary of.

The hackers used several types of malware.

The ThreatFabric report only mentions a few malicious apps, but they include QR scanners, PDF scanners, fitness trackers, and crypto apps. Unlike other fake apps that falsely advertise their functions, many of the apps in this batch of Android malware worked as expected. But behind the scenes, passwords and other user data were stolen.

The researchers divided the applications into four distinct “families” based on the malware used:

  • Anatsa: The largest of the four malware families, with more than 200,000 downloads, used the Anatsa banking Trojan. Android Trojans hijack accessibility features to steal login credentials and other personal data.
  • Alien : The second most downloaded Trojan was Alien, installed on over 95,000 devices. Alien intercepts two-factor authentication (2FA) codes, which hackers can then use to log into the user’s bank account.
  • Hydra and Ermac: The latter two families used the Hydra and Ermac malware, both of which are associated with the Brunhilda cybercriminal group. The group used malware to remotely access the user’s device and steal banking information. The ThreatFabric report says that applications using Hyrda and Ermac have received a total of over 15,000 downloads.

How These Malware Families Bypass Google Security Measures

ThreatFabric reported the apps to Google and they have since been removed from the Play Store and deactivated on all devices on which they were installed. But the real problem is how hackers managed to inject malware into applications at all.

Usually, the Play Store detects and removes applications with suspicious code. However, in these cases, the malware was not shipped on the initial download, but was included in an update that users had to install in order for the applications to continue running. Using this method, developers can submit their apps without running Google’s discovery system. And because the apps work as intended, users are unlikely to notice anything amiss. However, there were several clear indications that the updates in question were problematic, as they might request accessibility services privileges or force users to download additional software.

How to protect your Android device from malware

There are several things you can do to protect your devices and data from these malicious apps. First, always pay attention to the permissions the app is asking for, not only the first time you install it, but every time you launch or update it. Uninstall the app and report it if anything seems suspicious or unnecessary. For example, there is no reason a QR code scanner needs access to your accessibility services.

Likewise, only install updates directly from the Google Play Store. If an app says it needs a sudden update, but you don’t see it in the Play Store’s app list, it might be the wrong patch. The same goes for random download requests for additional apps: it is only safe to download unpublished apps when you yourself download the APK file from trusted and trusted sources like APK Mirror or the XDA Dev forums. And don’t forget to check the app thoroughly before downloading , even if it’s on Google Play, as hackers can fake the legitimacy of the app through misleading reviews.

While these strategies are not guaranteed to prevent all malware attacks, if you combine them with other cybersecurity techniques, such as unique passwords protected by an encrypted password manager , two-factor authentication logins , and strong antivirus and antivirus applications , you’ll be much better off. protected from intruders and bad apps in the future.

[ ZDNet ]

More…

Leave a Reply

Your email address will not be published. Required fields are marked *