A few years ago, it was common to advise Android smartphone users not to download applications and other APKs outside of the Google Play Store. A perfectly logical tip: Google scans all apps in its app store, and APKs found on stores and alternative sites are often riddled with malware.
The problem is that hackers now regularly manage to fool Google’s defenses. The latest discovery being the dreaded Xenomorph banking trojan, which was hiding in two applications, Todo: Day Manager (com.todo.daymanager) and 経費キーパー (com.setprice.expenses). Both apps have since been removed from the Play Store.
Malware is sometimes also detected on the Play Store
But an article from Hacher News explains how these rogue applications managed to deceive the vigilance of Google Play Protect, the Play Store’s antivirus. The hackers’ trick is precisely not to initially publish malware on the platform. Instead, they upload an app that acts as what hackers call a “dropper.”
In other words, an application that is initially harmless, but which remains capable of downloading and installing malicious code afterwards. Once the user downloads the app, it sends a confirmation to the developers through the Firebase database. The latter (or a program automating this task) then validates the start of the 2nd phase.
The application then downloads the Xenomorph banking malware in the background via extracts of the program which are freely available on Github. A way to cover the tracks and complicate the search for pirates. This approach also has the advantage of allowing the application to customize the attack by downloading the code best suited to the platform.
Poxy applications are increasingly adopting the technique of “droppers”
Once installed Xenomorph recovers the address of the hackers’ control and command center hidden in a title of group conversations on Telegram. Hackers can then send commands to the smartphone – and have therefore succeeded in potentially infecting tens of thousands of machines via a “dropper” application posted on the Play Store, under the nose and beard of Google.
Xenomorph is a banking trojan to be avoided. Indeed, it abuses accessibility permissions to steal login data from banking applications. Among other things, it is capable of intercepting text messages and notifications to obtain single-use codes as part of two-factor authentication.
At this stage, protecting yourself against this kind of attack is almost impossible. Of course, we can only recommend reading each file carefully before installing an application and not accepting too many authorizations during installation. But these precautions are themselves less and less effective.
To protect your Android smartphone and your banking data, we therefore recommend that you install an antivirus. Several publishers such as Bitdefender, Norton 360 or McAfee offer an effective antivirus application on Android to detect threats in real time or other malware and eradicate them.
Learn more about Bitdefender
Learn more about Norton 360