One major difference between Android OS by Google and iOS by Apple, is the fact that Android is Open Source operating system, why iOS is not. By open source, it means anybody within the ecosystem can contribute towards the development of the operating system (OS), mostly inderectly, through application developments.
Unfortunately, not all app developers within the Android ecosystem have good integrity; while some developers put in efforts to offer well optimized applications to users within the ecosystem, some selfish developers are seeking ways to exploit users within same ecosystem.
Google on it end, has put up different measures to restrict the presence of this developers within the Android ecosystem, at least, Google has put up extensive verification method and checks, to ensuring that such apps that exploit users does not make it ways to the official Google Android Play store.
But overtime, we’ve seen dubious developers beating and tricking Google into believing that their apps are safe, but the contrary, leading to bad apps making it to Google app Store. But again, all credits to Google for always responding quickly to researchers and other developers report concerning malicious apps on the play store.
Today, we are presenting to our readers in a caution, of 29 malicious Android apps that is capable of practically stealing money from your bank account. These apps belong to the category of sophisticated mobile banking malware with complex functionality and a heavy focus on stealth.
As mentioned above, the 29 malicious apps have all been removed from the official Android store in the meantime after ESET and fellow researchers notified Google of their malicious nature. But unfortunately, before the 29 apps were pulled from Google play store, a total of about 30,000 Android users had already installed the apps. So it is important to go through the list below, and ensure to remove such apps from your Android enabled smartphone ASAP.
How Does These Apps Operates?
Once launched, the apps either display an error claiming they have been removed due to incompatibility with the victim’s device and then proceed to hide themselves from the victim’s view, or deliver the promised functionality – such as displaying horoscopes.
Regardless of which of the preceding activities one of these apps displays, the main malicious functionality is hidden in an encrypted payload located in each app’s assets. This payload is encoded using base64 and then encrypted with an RC4 cipher using a hardcoded key. The first stage of the malware’s activity is a dropper that initially checks for the presence of an emulator or a sandbox. If these checks fail, it then decrypts and drops a loader, and a payload that contains the actual banking malware. Some of the apps we analyzed contained more than one stage of such encrypted payloads.
The functionality of the final payload is to impersonate banking apps installed on the victim’s device, intercept and send SMS messages, and download and install additional applications of the operator’s choice. The most significant feature is that the malware can dynamically impersonate any app installed on a compromised device. This is achieved by obtaining the HTML code of the apps installed on the device and using that code to overlay legitimate apps with bogus forms once the legitimate apps are launched, giving the victim very little chance to notice something is amiss.
How to stay safe
Fortunately, these particular banking Trojans (the full list can be found in the IoCs section) do not employ advanced tricks to ensure their persistence on affected devices. Therefore, if you suspect you have installed any of these apps, you can simply uninstall them under Settings > (General) > Application manager/Apps.
We also advise you to check your bank account for suspicious transactions and consider changing your internet banking password/PIN code.
To avoid falling victim to banking malware, we recommend that you:
- Only download apps from Google Play; this does not ensure the app is not malicious, but apps like these are much more common on third-party app stores, where they are rarely removed once uncovered, unlike on Google Play
- Make sure to check the number of downloads, app ratings and the content of reviews before downloading apps from Google Play
- Pay attention to what permissions you grant to the apps you install
- Keep your Android device updated and use a reliable mobile security solution; ESET products detect and block this threat as Android/TrojanDropper.Agent.CIQ.
Indicators of Compromise (IoCs)
App name | Package name | Hash | Installs |
---|---|---|---|
Power Manager | com.puredevlab.powermanager | 7C13ADEFC2CABD85AD8F486C3CBDB6379811A097 | 10+ |
Astro Plus | com.astro.plus | 24D2ED751A33BD965A01FA87D7A187D14D0B0849 | 0+ |
Master Cleaner – CPU Booster | bnb.massclean.boost | 101DA4333A26BC6D9DFEF6605E5D8D10206C0EB4 | 5,000+ |
Master Clean – Power Booster | mc.boostpower.lf | E5DC8D4664167D61E5B4D83597965253A8B4CB3B | 100+ |
Super Boost Cleaner | cpu.cleanpti.clo | 33D59A70363857A0CE6857D201B764EF3E8194DD | 500+ |
Super Fast Cleaner | super.dupclean.com | E125AC53050CAFA5A930B210C8168EA9ED0FD6F1 | 500+ |
Daily Horoscope For All Zodiac Signs | ui.astrohoro.t2018 | C3C45A7B3D3D2CB73A40C25BD4E83C9DA14F2DEA | 100 + |
Daily Horoscope Free – Horoscope Compatibility | com.horochart.uk | CD5817AB3C2E4AE6A18F239BDD51E0CC9D7F6E25 | 500+ |
Phone Booster – Clean Master | ghl.phoneboost.com | 9834B40401D76473D496E73884947D8A9F1920B3 | 1,000+ |
Speed Cleaner – CPU Cooler | speeeed.cool.fh | 7626646C5C6D2C94B9D541BD5A0F320421903277 | 100+ |
Ultra Phone Booster | ult.boostphone.pb | 6156081484663085B4FC5DEAEBF7DA079DD655C3 | 1,000+ |
Free Daily Horoscope 2019 | fr.dayy.horos | 4E7F12F07D052E7D1EFD21CD323D8BAD9A79933B | 50+ |
Free Daily Horoscope Plus – Astrology Online | com.dailyhoroscope.free | c0be22c44e5540322e0ffbf3a6fe18ce0968d3b5 | 1,000+ |
Phone Power Booster | pwr.boost.pro | FCB8E568145AF2B6D8D29C0484417E51DD25717F | 1,000+ |
Ultra Cleaner – Power Boost | ua.cleanpower.boost | CB37C8C44750874BA61F6F95E7A7C29073CB51DC | 50+ |
Master Cleaner – CPU Booster | bnm.massclean.boost | 63E1C18D87F41ABF9956FC035D29D3C2890453EE | 5,000+ |
Daily Horoscope – Astrological Forecast | gmd.horobest.ty | 90f41c64b3ab3f3b43e9d14b52f13143afb643da | 1,000+ |
Speed Cleaner – CPU Cooler | speeeed.cool.gh | 56be07b21c9992a45c3b44b2e8a26b928e8238e2 | 0+ |
Horoscope 2018 | com.horo2018i.up | c8dc0e94f38556cd83ca6a693fa5b6d7ae3957f7 | 1,000+ |
Meu Horóscopo | my.horoscop.br | 92808ca526f8e655d8fa8716ab476be4041cd505 | 1,000+ |
Master Clean – Power Booster | mc.boostpower.cf | ab88a93b0e919e5e07cf867f4165f78aa77dc403 | 50+ |
Boost Your Phone | boost.your.phone | 5577c9131f026d549a38e3ce48c04a323475927e | 1,000+ |
Phone Cleaner – Booster, Optimizer | phone.boost.glh | 988AB351549FEB2C1C664A29B021E98E3695A18A | 1,000+ |
Clean Master Pro Booster 2018 | pro.cleanermaster.iz | b9d32241d169dfd4ca5674dffa357796b200bc2f | 10+ |
Clean Master – Booster Pro | bl.masterbooster.pro | bcb9ef41fea8878eb10f4189dd55bfe1d03a64b3 | 5,000+ |
BoostFX. Android cleaner | fx.acleaner.e2018 | 99bff493d201d42534eec9996fd0819a | 50+ |
Daily Horoscope | day.horocom.ww | 971a0cf208f99c259966b20aa10380c1 | 1,000+ |
Daily Horoscope | com.dayhoroscope.en | 25e95b32832a491108835b382c4f14aa | 1,000+ |
Personal Horoscope | horo.glue.zodnow | 0dcaf426bbc3b484aa4004f5c8e48a19 |