Security researchers have discovered a new BankBot Anubis campaign targeting Turkish-speaking mobile users via at least 10 fake apps uploaded to the official Google Play store. These fraudulent apps are actually used to download the mobile banking Trojan and facilitate financial fraud by capturing keystrokes and stealing login credentials.
IBM's X-Force research team found at least 10 malware downloaders in June that infect users with the mobile banking Trojan - BankBot Anubis. These malicious downloaders are disguised as online shopping, financial and automotive apps among others. Each of these apps can fetch over 1000 samples from the attackers' command and control (C&C) servers, researchers said.
Each of these samples also have a different MD5 signature as well.
According to the researchers, these newly spotted BankBot Anubis-linked downloaders could suggest that "the threat actors distributing the malware on Google Play are offering their 'expertise' as a service, spreading malware downloaders for different cybercrime factions that use mobile Trojans to facilitate financial fraud — aka “downloader-as-a-service.”
"Such cybercrime services are common in the fraud and malware black markets. They entail a proven ability to infiltrate Google Play and plant malicious downloaders under the guise of benign-looking apps," researchers said. "These services can likely maintain the downloader’s C&C servers long enough to generate a steady stream of new infections, suggesting the thought-out operational security and know-how characteristic of organized cybercrime groups."
However, it is also likely that the latest campaign could just be a specific cybercrime group suddenly favoring Anubis over other banking Trojans like Marcher.
As major app store operators like Google Play and Apple's App Store continue to bolster their security to prevent malware from slipping through, attackers are constantly looking for new ways to bypass these defenses.
Rather than uploading the actual malware to the store and triggering red flags, hackers are uploading downloaders that are more likely to soar through any security checks and scans undetected and still manage to infect users with malware.
In the new BankBot Anubis campaign, the downloader apps seem to be targeting Turkish-speaking users disguised as appealing, legitimate-looking apps. Given their variety and notable style, researchers believe the attackers have significantly invested resources into them "suggesting that a cybercrime service, rather than a single cybercrime faction, is likely responsible."
The downloaders themselves managed to slip past antivirus software and security checks. In fact, VirusTotal missed all but one sample. However, that sample still managed to get by with zero detections by antivirus engines.
Once the downloader is successfully installed, the app fetches BankBot Anubis from one of its C&C servers. The malware is disguised as a "Google Protect" app that prompts the user to grant it accessibility rights.
"BankBot Anubis uses Android’s Accessibility services to perform keylogging as a way to obtain the infected user’s credentials when he or she accesses a targeted mobile banking app," researchers said. "By keylogging the user’s login information, the attacker can steal credentials from any app while avoiding the need to create custom overlays for each target. This malware is also able to take screen captures of the user’s screen, which it likely uses to steal credentials since the keyboard strokes are visible."
Although the current campaign seems to be primarily targeting Turkish users, BankBot Anubis has been leveraged in other botnets and configurations to target users in other countries like the US, UK, Canada, Australia, Germany, India, France and Japan.
"When it comes to maximizing the results of infection campaigns, mobile malware operators consider official app stores to be the holy grail," researchers said. "Getting a malicious app into an official store yields greater exposure to more potential victims, a cheap distribution channel and user trust."
IBM X-Force has reported the malicious apps to Google for removal.