Pipette apps were disguised as PDF and QR code scanners, as well as fitness apps. Trojan dropper apps have gone unnoticed on Google Play in recent months, collecting over 300,000 downloads and covertly installing malware that collects people’s banking information. As mobile security firm ThreatFabric reveals: “In just four months, four major Android families [Anatsa, Alien, Hydra, and Ermac] have spread through Google Play, causing over 300,000 infections across multiple Android apps. “.
Pipette apps were disguised as simple utilities like PDF and QR code scanners, as well as fitness apps. With plenty of installations and positive reviews, Android apps felt real and worked as promised, leaving users with little reason to believe that something was wrong.
The problem is, apps don’t seem to have malicious code at first. But, as ThreatFabric discovered, apps “changed their behavior in later versions, adding deletion functionality and a wider range of required permissions.” At this point, app users can trust and believe that the update is needed to continue using it. In the case of a fitness app, the app disguises the malicious download as an additional training package that the user can install.
Apps also avoid detection by selectively choosing which devices and regions to attack and when. This can help ensure that the dropper app does not attempt to install malware while the app is in the initial evaluation process for Google Play, and may prevent installation in test and environment environments. emulators where it could be detected.
On the device, the malware can analyze banking information by recording keystrokes, taking screenshots, and requesting access to the accessibility service so that the malware “has full control over the device.” and can act on behalf of the victim, ”explains TheatFabric.
While these elaborate tactics make it difficult to identify suspicious apps, it’s still a good rule of thumb to avoid apps of unknown brands and know what permissions you grant to those apps. Even accessing file storage can be enough to cause damage.
In response, Google referenced an April blog post outlining the steps it has taken to protect its app store, including continuing to reduce developer access to confidential permissions, Ars Technica reports. The apps in question have either been removed or are under review, ZDNet says.