Two such Android apps have recently been spotted on the Google Play Store by security researchers with the Trend Micro malware research team, infecting thousands of Android users who have already downloaded them with banking malware.
The apps in question masquerade as a currency exchange app called Currency Converter and battery saver app called BatterySaverMobi, and are using motion-sensor inputs of infected Android devices to monitor them before installing a dangerous banking Trojan called Anubis.
The malicious Android apps, with a large number of fake five-star reviews, use this clever trick instead of traditional evasion techniques in order to avoid detection when researchers run emulators (which are less likely to use sensors) to detect such malicious apps.
"As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data," the researchers explain in a blog post published Thursday.
"If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data."
Once downloaded, the malicious app uses the infected device's motion sensor to detect whether or not the user or the device is moving. If both the device and user are still, the malicious code will not run.
As soon as it detects the sensor data, the app runs the malicious code and then tries to trick the victims into downloading and installing the malicious Anubis payload APK with a bogus system update, masquerading as a "stable version of Android."
Not Just Motion Detection...There's More
If the user approves the fake system update, the in-built malware dropper uses requests and responses over legitimate services including Twitter and Telegram to connect to its required command and control (C&C) server and downloads the Anubis banking Trojan on the infected device.
"One of the ways the app developers hide the malicious server is by encoding it in Telegram and Twitter web page requests. The bank malware dropper will request Telegram or Twitter after it trusts the running device," the researchers explain.
"Then, it registers with the C&C server and checks for commands with an HTTP POST request. If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background."
Once compromised, the Anubis banking Trojan obtains users' baking account credentials either by using a built-in keylogger or by taking screenshots of the users' screen when they insert credentials into any banking app.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
Usually, banking Trojans launch a fake overlay screen on the top of bank account login pages to steal banking credentials.
According to the Trend Micro researchers, the latest version of Anubis has been distributed to 93 different countries and targets users of at least 377 variations of financial apps to extract bank account details.
The banking Trojan also has the ability to gain access to contact lists and location, send spam messages to contacts, call numbers from the device, record audio, and alter external storage.
Google has since removed the two malicious apps from its Play Store. Although it is a never-ending concern, the best way to protect yourself from such malware is to always be vigilant when downloading applications even from Google's official Play store.
Most importantly, be careful which apps you give administrative rights to, as it is a powerful permission that can provide full control of your device.