Google Play boots fake apps that spy on devices' motion sensor data before dropping Anubis malware

News by Bradley Barth

A fake currency converter and a phony battery utility program are among the latest fraudulent apps to be expunged from Google Play, according to researchers who discovered they were infecting users with a version of the Anubis banking malware family.

A fake currency converter and a phony battery utility program are among the latest fraudulent apps to be expunged from Google Play, according to researchers who discovered they were infecting users with a version of the Anubis banking malware family.

Both fraudulent apps employ a crafty technique to determine whether it is safe for them to run their malicious code upon download, Trend Micro reports in a 18 January company blog post. They seek out an infected device’s motion sensor data to determine if the device was being moved around.

If the data suggests that the device has remained stationary, the app assumes that it may have infected a researcher’s sandbox environment, which does not generate motion sensor data. In that case, it issues a "kill" command to cease its malicious activity.

On the other hand, if the device has been moving around, then the app attempts to trick users into installing a pretend system update that in reality is the Anubis payload.

In the blog post, Trend Micro researcher Kevin Sun notes that the battery app, BatterySaverMobi, was downloaded more than 5,000 before Google was alerted to the program and banished the fake apps. It is not stated how many times the other app, named Currency Converter, was installed.

An analysis of the payload revealed code "strikingly similar" to Anubis samples, Sun says in the report. "And we also saw that it connects to a command and control (C&C) server with the domain aserogeege.space, which is linked to Anubis as well."

Researchers also found 18 other malicious domains that map to the same malicious IP addresses, "and we confirmed that Anubis uses the subpath of these domains," Sun continues. "These domains change IP addresses quite frequently and may have switched six times since October 2018, showing just how active this particular campaign is."

Anubis steal users’ account credentials for various apps by secretly recording their keystrokes and taking screenshots of their devices. Trend Micro says this latest version of Anubis has made it way to 93 different counties while targets 377 variations of financial apps. Additionally, it’s capable of collecting contact lists, recording audio, sending SMS messages, making calls and altering external storage.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event