Official App Stores are Criminals’ Holy Grail – Banking Malware Being Dropped Through Benign-Looking Apps


Criminals are actively trying to sneak malicious apps into the official Google Play Store serving banking malware to Android users. The Android banking malware is designed to steal login credentials of banking apps, wallets and payment cards.

Security researchers at IBM X-Force report that "downloader apps are being used as the first step in an infection routine that fetches the Marcher (aka Marcher ExoBot) and BankBot Anubis mobile banking Trojans." Users who install these apps end up being a target of financial fraud.

How to Enable Super Brightness on Galaxy S22

As Google works to strengthen Play Store's security mechanism, attackers come up with strategies to deliver Android banking malware through bogus apps

This isn't necessarily a flaw in the security of Play Store or the App Store as attackers are mimicking the PC-era strategies where they wouldn't deliver the malware directly but through a benign, non-malicious vector.

In general, a downloader app is more likely to survive security checks and recurring scans, and once it lands on a user’s device, it can fetch the intended malware app. As the Chinese general Sun Tzu wrote in “The Art of War,” “The greatest victory is that which requires no battle."

As for how to spot these apps, it's not an easy feat. Researchers wrote that apps that are being used to deliver Android banking malware come in all shapes and forms. From online shopping apps to financial services and automotive apps, they are of different types and carry different visual styles to look both legitimate and enticing.

This particular wave is targeting users in Turkey. However, similar campaigns have been spotted around the world, from Canada to Germany to Azerbaijan and Australia.

"Our research team suspects a cybercrime group operating in Turkey is behind this particular BankBot Anubis campaign," Limor Kessem, executive security advisor at IBM Security said. "The downloaders themselves can also potentially be a cybercrime service offering distribution via Google Play."

The variety of apps and styles indicates a large investment of resources on the part of the campaign’s operators, suggesting that a cybercrime service, rather than a single cybercrime faction, is likely responsible.

These campaigns turn out to be more successful since they use the official stores to deliver malware. Users place more trust on apps downloaded through the official platforms, which means mobile malware operators also consider "official app stores to be the holy grail" getting their malicious apps more exposure.

OnePlus Nord 2T Brings MediaTek Dimensity 1300, 80W Charging, and More

Tens of thousands of people ended up downloading malicious apps in this specific campaign. However, it is unclear how many were actually affected by the Android banking malware through these downloader apps.

- Relevant: The Murky World of “Unknown Sources” Accounts for Majority of Android Malware Installations

Source: IBM | Image: 9to5Google