Banking trojans have once again made their way past Google Play's security mechanisms, this time to target the Polish Financial sector.
The malicious apps made their way into the store disguised as the seemingly benign apps “Crypto Monitor”, a cryptocurrency price tracking app, and “StorySaver”, a third-party tool for downloading stories from Instagram, according to a 11 December ESET security blog post.
“Crypto Monitor”, was uploaded to the store on 25 November of this year under the developer name walltestudio while “StorySaver” appeared on Google Play on 29 November under the developer name kirillsamsonov45. The two apps collectively reached between 1000 and 5000 downloads by 4 December.
The apps delivered the promised functionalities but also displayed fake notifications and login forms which appear to be from legitimate banking applications but are actually just phishing pages harvesting credentials. The malicious apps also intercept text messages to bypass SMS-based 2-factor authentication.
“After the malicious apps are launched, they compare the apps installed on the compromised device against a list of targeted banking apps – in this case, the official apps of fourteen Polish banks (the list of specific banking apps can be found at the end),” the post said.
“If any of the fourteen apps are found on the device, the malware can display fake login forms imitating those of the targeted legitimate apps.”
All of this may happen with or without user interaction. Fortunately, the malware doesn't use any advanced tricks to ensure its persistence on affected devices and can be removed by going to Settings > (General) > Application manager/Apps, searching for either “StorySaver” or “Crypto Monitor” and uninstalling them.
This doesn't however, guarantee that a threat actor hasn't already stolen a user's credentials. Researchers recommend users always check app ratings and reviews, pay attention to what permissions you grant to apps, and use a reputable mobile security solution to detect and block latest threats.