Posted on June 1, 2022 at 10:49 AM
The mobile threat landscape analysis published by ThreatFabric revealed that banking Trojans that target Android devices have increased significantly. The report noted that Turkey and Spain are the centers of most malware campaigns. But the most targeted countries include France, the UK, Germany, Italy, Australia, and Poland.
ThreatFabric stated that the increasing attention paid to On-Device Fraud (ODF) is the most worrying thing about the attacks.
Malware Families On Android OS Have Surged 40%
The first five months of the year have seen a surge of more than 40% in malware families that compromise Android OS to perpetrate fraud. The campaign utilizes the device to carry out the fraud, which makes it very difficult to detect with traditional fraud detection systems.
ERMAC, Octo, Cerberus, FluBot, and Hydra accounted for the most active Trojans, based on the number of samples observed from January.
Apart from the increasing number of infected Android devices, new dropper apps on Google Play Store have been discovered. Most of them are fronted as genuine apps that offer utility and productivity services. The front with this service, but carry out malware operations in the background. These make them very dangerous since they cannot be easily detected.
Additionally, hackers are perpetuating device fraud as a stealthy method of initiating malicious transactions from victims’ devices. With these new tools, hackers are now using previously stolen credentials to log in to banking apps and carry out unauthorized transactions.
It gets even worse. The threat actors have used the banking Trojans in a more evasive way where they have been observed updating their capabilities. They are now well equipped to steal credentials from overlay screens even before they are submitted.
The Trojan Leverages Android’s Accessibility Service
The goal for the hackers is to get the credentials even when the victims are suspicious and closed the overlay without pressing the fake “login” visible on the overlay page.
After the emergence of ERMAC in September last year, it has constantly received updates that enabled it to steal seed phrases from a crypto wallet app automatically. The Trojan does this by leveraging Android’s Accessibility Service. This has become a major issue for Androids in recent times, as hackers take advantage of genuine API to serve fake overlay screens to gullible users, allowing them to capture sensitive information.
Last year, Google tried to deal with the issue by ensuring that only services that are built to assist people with disabilities to access their devices are eligible to state that they are accessible tools.
However, the new Android 13 has even more security measures, although it’s currently in beta version. It restricts API access to apps, especially the ones that the user has sideloaded from outside an app store. This makes it very difficult for highly dangerous apps to misuse the service.
While ThreatFabric was carrying out its research, the team noted that it bypassed the restrictions slightly by tweaking the installation process. This means hackers can also get through, suggesting the need for a more stringent approach to thwart such threats.
Users Are Advised To Download Apps Only From Reputable Sources
The researchers recommended that users need only download apps from Google App Store and avoid giving apps unusual permissions that can expose their device. Some apps seek for permissions that have no purpose asking them, example a calculator asking the user for access to their contact list. Users who come across these types of apps should avoid them completely, the security researchers warned. Additionally, users are also advised to be wary of phishing attempts to install rogue apps on their devices.
Threat actors have continued to take advantage of the openness of Android OS, even though it also serves a good purpose. The researchers stated that despite the restrictions placed on these apps, some of them still find their way into the device of unsuspecting users.
Threat actors now use a variety of techniques to carry out mobile fraud. But the most popular ones are repackaging, reverse engineering, mobile banking Trojans, rogue keyboards, and overlay attacks. A threat actor can reverse engineer an app to analyze its source code and parts. Threat actors can also target mobile banking apps using a Trojan specifically designed for that purpose. This type of attack is one of the oldest, and it’s still being used rampantly today.