Researchers at Trend Micro have discovered two apps on Google Play that drop a malicious payload linked to the Anubis Banking malware.
However, in a new twist, these apps do not employ traditional evasion techniques alone; they also try to use the user's and device's motions to hide their activities.
In a blog, the researchers said the apps pass themselves off as useful tools, dubbed Currency Converter and BatterySaverMobi, and have subsequently been removed from the Play Store by Google.
The battery app was downloaded over 5 000 times before it was taken down, and had a score of 4.5 stars from 73 reviewers. However, upon further scrutiny, the researchers said there were signs the posted reviews may not have been legitimate, with some anonymous usernames being used, while a few review statements were illogical and did not have the necessary detail.
The researchers explained that as a user moves, their device generates a certain amount of motion sensor data. The malware authors assumed the sandbox, which is used to scan for malware, only mimics a normal environment, and therefore has no motion sensors, and will not generate any motion sensor data.
A sandbox is an isolated testing environment or container, in which programs can be run, or files executed, without affecting the system, platform or application they run on in any way.
In that way, the threat actor can determine whether the app is running in a sandbox environment merely by looking for sensor data. "The malicious app monitors the user's steps through the device motion sensor. If it senses the user and the device are not moving, and therefore might be running in a sandbox environment, then the malicious code will not run."
If the malware code runs, the app will then attempt to fool the user into downloading and installing the Anubis banking malware.
Trend Micro says gaps in mobile security can lead to dire consequences for many users because devices not only store a wealth of information, they connect to multiple accounts.
"Users should be wary of any app that asks for banking credentials in particular and be sure they are legitimately linked to their bank," the company notes.
Share