BankBot Manages to Infiltrate Play Store for the Third Time This Year – Lures Victims with Cryptocurrency App

Rafia Shaikh
Android banking trojan google safe browsing bankbot marcher banking trojan

Oh Google! Despite the search giant's continued efforts to host a clean marketplace, its Play Store keeps distributing malicious apps. While you may have disabled Unknown Sources - as you definitely should - Google Play Store remains the best way to get Android apps without having to worry about malware. But even this "best" option is plagued with security problems.

The company continues to deliver security updates and features like the recent Google Play Protect, however, it is yet to make Play Store as clean as Apple's App Store - which itself isn't completely void of these issues. Due to the sheer size of its userbase, Android gets the most criminal attention, resulting in more malware and security issues. Many of these problems come from old malware strains that new campaigns reuse and still manage to bypass Google's protections thanks to rapid modifications.

Related StoryRafia Shaikh
Kronos Banking Trojan Makes a Comeback

For the third time this year, Android banking malware known as BankBot has appeared in the official Play Store. First appearing in April earlier this year, and then in September, the banking trojan is back after somehow managing to bypass Google's security protocols that must have been updated to look out for this new malware.

Security researchers at RiskIQ discovered the latest appearance of BankBot in Google Play store. The malware was disguised as an app called "Crypto currencies market prices," carrying a fake "Verified by Play Protect" to make it look even more legitimate. Considering how the value of cryptocurrencies - especially bitcoin - is skyrocketing gaining more adopters in the recent weeks, the app does a clever job by targeting a niche financial market. After all, BankBot is all about financial data.

What is BankBot and what does it do

Designed to steal banking credentials and payment information, BankBot tricks users into handing over their financial details by using an interface identical to victim's bank's app. In each of its appearances, it has targeted victims of a specific list of banks and retail clients. The malware not only steals login credentials but also demands excessive permissions that enable it to send/receive text messages.

This is an important feature since using this capability, the attackers can get access to text messages if two factor authentication is enabled by a user.

The app in question - Crypto currencies market prices - actually works and offers value comparisons to the user. This is partially how it managed to bypass the vetting process since this isn't a dummy app. Since the app has complete functionality, target user is also less likely to be suspicious of its activities. During installation process, it demands a number of permissions that it needs to overlay fake login screens and steal login information.

Google has said that it has removed the app but it is likely that BankBot would make yet another appearance with modified code and more improvements that will enable to keep bypassing Play Store's protections.

Share this story