A gaming app on the Google Play Store was exposed to have a BankBot Trojan.
Another gaming application was found on the Google Play Store this week containing notorious Android Trojan, “BankBot”. Thousands of Android users already downloaded the suspicious game before the game was removed from the store.
According to security experts from Eset, a Slovakian security company, the BankBot Trojan was designed to steal credit card details. However several new modifications have made that they no longer pose as banking apps, but rather that the malicious Trojan gets embedded into more conventional gaming apps.
The campaign was uncovered on 4 September when security experts found malicious codes attached to a game called “Jewels Star Classic”.
To date, this app has received 5000 downloads.
BankBot was found in previous malicious apps. Just last year, Russian security experts found the Trojan in an app called “Dr Web”. They exposed the app in December 2016 and confirmed in January 2017 that the source code for BankBot has been leaked online.
The leaked source code led to better evolved Trojans. The modified version can abuse Google’s “Accessibility Services” and can successfully hide and bypass detection on an unsuspecting user’s smartphone or tablet.
After downloading the app, the app functions normally for the first 20 minutes. After 20 minutes, the app turns malicious. The 20 minute waiting period is so that the app can bypass Google’s anti-malware security scans.
After 20 minutes, the BankBot Trojan gives the user a screen prompt which asks permission to enable something called “Google Service”, however this screen prompt can only be escaped by clicking OK.
After the user is forced to click okay, the app redirects the user to the screen menu, where the activated malware has inserted a new fake button.
The activated malware will now give the hacker access to an array of very invasive and sensitive functions and data.
In the Eset report, researchers confirmed that by giving this access, it can enable a hacker to have free reign over the user’s device and information to conduct any malicious activity.
The access gives hackers elevated access, where they also will have the ability to install other apps without the user’s knowledge or consent and can also intercept messages.
Previously several BankBot Trojans were found imitating popular banking applications, hoping victims couldn’t spot the fakes and enter their account passwords.
Hackers seem to have now turned their attention to the Google Play Store, where infected apps also asked users to enter their financial details in order to use the app.
Eset researchers warned that once users have entered their credit card details, the hackers have won.
The malware’s other function to intercept messages means that hackers could also bypass two-factor authentication, something which is often the last line of defense in a scenario like this.
The combined techniques that hackers employed in the latest version of BankBot, makes detection extremely difficult, and in turn, makes this latest malware extremely dangerous.
The source of the BankBot Trojan is still unknown, but since the code has been leaked online, several would-be malicious attackers can use it and modify the code to spawn several different versions.
Android users have been warned to be cautious when downloading apps and to try and verify apps from legitimate sources as far as possible.