Last week, security researchers detected a new type of malware disguised as an Android app from Brazil’s Itaú Unibanco on the Google Play Store, designed to carry out fraudulent transactions on compromised devices.
The malicious decoy app was designed such that Itaú Unibanco customers could’ve easily been tricked into believing its legitimacy. The perpetrators created a fake Google Play Store product page using an icon and a name that emulated the original app.
Furthermore, the attacker’s decoy Google Play Store page hosted an Android trojan under the name sincronizador.apk.
The fake URL not only hosted the malware-ridden APK but also attempted to emulate the legitimate Google Play Store product page by providing apparently accurate information, such as an approximate number of downloads.
Users who took the bait and installed the fake app on their Android devices were prompted to enable accessibility services, as well as give various permissions to the trojan, including the ability to access notifications, perform tap and swipe gestures, and read on-screen content.
Reportedly, the trojan’s purpose is to perform fraudulent transactions on infected devices using the target customers’ legitimate Itaú Unibanco Android app.
The malware would likely achieve this by replacing data in the users’ input fields with the help of the accessibility services API. Thus, refusing to enable Accessibility Services when prompted by the trojan would prevent it (at least partially) from compromising the devices.
Google is currently rolling out new limitations that would help curb these attacks by preventing certain apps from capturing sensitive information. The company aims to deter the abuse of its API by restricting the use of permissions that would give apps access to critical data on Android systems.
Disguising malware as legitimate apps, in the Google Play Store or otherwise, is not a novel technique used by attackers. In fact, threat actors constantly work on developing sophisticated techniques, such as choosing misleading domain names, or using official icons, logos and fonts, to get users to fall into their traps.
With that in mind, it’s safe to say that users should only rely on official, trusted sources to install their apps, after carefully verifying their authenticity. For instance, using the official Google Play Store app instead of its browser version for installing an app would go a long way in countering this type of cyber-attack.