Malicious Android Apps Use Motion Sensor to avoid detection

Posted by & filed under Security Alerts.

Even after so many efforts by Google for preventing its Play Store from malware, shady apps somehow managed to fool its anti-malware protections and get into its service to infect Android users with malware.

Two such Android apps have recently been spotted on the Google Play Store by security researchers with the Trend Micro malware research team, infecting thousands of Android users who have already downloaded them with banking malware.

The apps in question masquerade as a currency exchange app called Currency Converter and battery saver app called BatterySaverMobi, and are using motion-sensor inputs of infected Android devices to monitor them before installing a dangerous banking Trojan called Anubis.

The malicious Android apps, with a large number of fake five-star reviews, use this clever trick instead of traditional evasion techniques in order to avoid detection when researchers run emulators (which are less likely to use sensors) to detect such malicious apps.

“As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data,” the researchers explain in a blog post published Thursday.

“If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.”

Once downloaded, the malicious app uses the infected device’s motion sensor to detect whether or not the user or the device is moving. If both the device and user are still, the malicious code will not run.

As soon as it detects the sensor data, the app runs the malicious code and then tries to trick the victims into downloading and installing the malicious Anubis payload APK with a bogus system update, masquerading as a “stable version of Android.”

Not Just Motion Detection

If the user approves the fake system update, the in-built malware dropper uses requests and responses over legitimate services including Twitter and Telegram to connect to its required command and control (C&C) server and downloads the Anubis banking Trojan on the infected device.

“One of the ways the app developers hide the malicious server is by encoding it in Telegram and Twitter web page requests. The bank malware dropper will request Telegram or Twitter after it trusts the running device,” the researchers explain.

“Then, it registers with the C&C server and checks for commands with an HTTP POST request. If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background.”

Once compromised, the Anubis banking Trojan obtains users’ baking account credentials either by using a built-in keylogger or by taking screenshots of the users’ screen when they insert credentials into any banking app.

Usually, banking Trojans launch a fake overlay screen on the top of bank account login pages to steal banking credentials.

According to the Trend Micro researchers, the latest version of Anubis has been distributed to 93 different countries and targets users of at least 377 variations of financial apps to extract bank account details.

The banking Trojan also has the ability to gain access to contact lists and location, send spam messages to contacts, call numbers from the device, record audio, and alter external storage.

Google has since removed the two malicious apps from its Play Store. Although it is a never-ending concern, the best way to protect yourself from such malware is to always be vigilant when downloading applications even from Google’s official Play store.

Most importantly, be careful which apps you give administrative rights to, as it is a powerful permission that can provide full control of your device.

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.