A Bunch of Malicious Google Play Apps Stole User Banking Info - WIRED

To revist this article, visit My Profile, then View saved stories.

Researchers said they’ve discovered a batch of apps that were downloaded from Google Play more than 300,000 times before the apps were revealed to be banking trojans that surreptitiously siphoned user passwords and two-factor-authentication codes, logged keystrokes, and took screenshots.

They used several tricks to sidestep restrictions Google has devised in an attempt to rein in the unending distribution of fraudulent apps in its official marketplace.

“What makes these Google Play distribution campaigns very difficult to detect from an automation (sandbox) and machine learning perspective is that dropper apps all have a very small malicious footprint,” researchers from mobile security company ThreatFabric wrote in a post.

The apps often required updates to be downloaded from third-party sources, but by then many users had come to trust them.

The process of infection with Anatsa looks like this: upon the start of installation from Google Play, the user is forced to update the app in order to continue using the app.

Asked for comment, a Google spokesperson pointed to this post from April detailing the company’s methods for detecting malicious apps submitted to Play.

Over the past decade, malicious apps have plagued Google Play on a regular basis.

As was the case this time, Google is quick to remove the fraudulent apps once it has been notified of them, but the company has been chronically unable to find thousands of apps that have infiltrated the bazaar and infected thousands or even millions of users.

Steering clear of obscure apps with small user bases can also help, but that tactic would have been ineffective in this case.

The best advice for staying safe from malicious Android apps is to be extremely sparing in installing them.