|Photo by: iphonedigital via Flickr|
An Android banking trojan returns to Google Play Store, disguised as a gaming app and pretending to be a part of Google services to steal sensitive information. It is known as Bankbot, unveiled earlier this year, but has been combined with a gaming app called Jewels Star Classic. Users who downloaded the gaming app will receive a fully functional game but it comes with a malicious software hidden inside the app’s resources that steals credit card information. The malware activates after 20 minutes on the first execution of the gaming app, indicated by a pop-up labeled, “Google Service," and forces the user to press OK.
The malware transports the user to the Android Accessibility menu and displays the list of required permissions. The pop-up will only be removed by giving permission to the gaming app, but it will also allow the Bankbot to be launched. Bankbot sets itself as a default SMS app and obtains permission to draw over other apps then steal sensitive information.
“By granting these permissions, the user gives the malware a free hand - almost literally - to carry out any tasks it needs to continue its malicious activity. In this campaign, the crooks have put together a set of techniques with rising popularity among Android malware authors - abusing Android Accessibility service, impersonating Google, and setting a timer delaying the onset of malicious activity to evade Google’ security measures,” stated researchers from ESET in a post.
ESET researchers recommend users to favor official app stores over alternative sources, check the popularity of selected apps, and read the requested permissions before installation to avoid potential vulnerability against malware attacks.