Android is one of the most vulnerable mobile operating systems with hackers developing new Android malware and banking trojan every 17 seconds. Then, there is Google and questionable security measures to protect users from sophisticated and persistent malware attacks.
Recently, Lukas Stefanko, an IT security researcher at ESET has discovered a nasty piece of banking trojan targeting unsuspected Android users on Play Store. The trojan was downloaded and installed by over 10,000 users and so far stole more than €10,000 (£8,916 – $11,730).
According to Stefanko’s analysis, the trojan was equipped with bypassing SMS two-factor authentication (2FA) capability and targeted banks and users in Germany, Poland, and the Czech Republic.
One of the malicious apps which Stefanko found was QRecorder, an app claiming to record incoming and outgoing calls on the device. In reality, “it would request the user to allow it to draw over other apps as necessary functionality for the app to work properly. However, this functionality helps the malware to control what is displayed to the user, Stefanko noted.
Upon gaining access, the trojan would collect data and send it to the command and control center (C&C) operated by attackers within 24 hours. Stefanko further found that attackers were using Firebase messages to interact with the targeted device. Moreover, upon identifying the banking app on the device the trojan would download payload after asking the user to enable “Accessibility Service.”
“Once the payload is downloaded it sets triggers for legitimate banking apps,” wrote Stefanko. “If one of the targeted apps is launched it would create similar like looking activity that overlays official app demanding credentials.”
What makes this trojan special is that attackers created different payloads for different banking apps. However, at the time of publishing this article; the malicious QRecorder app was removed from Play Store.
This article was originally posted on Hackread