Android Malware Posing As Google Play Silently Pilfers Bank Logins

A piece of Android malware has been uncovered that comes disguised as the Google Play app but uses a smart download technique to hide its activities.

The malware’s true purpose is to steal banking logins, hoover up text messages and intercept software certificates designed to prove the validity of communications, according to FireEye, which found the software.

FireEye found email evidence suggesting victims’ bank account passwords had been intercepted by the malware and sent to the hacker’s email accounts. It has worked with Google’s Gmail team to take those email accounts down.

Whilst its ability to pilfer data was a concern, FireEye researchers said the unique thing about the rogue app, which appeared to the user as “Google App Stoy” [sic] and carried the same icon as the Play application, was that it was able to come across as completely benign.

Sneaky Android malware

It was able to do so because on first inspection it appears to have very little functionality,  uninstalling itself when the user attempts to open it, telling the victim the app isn’t working, and leaving no visible traces.

Yet a closer look revealed the app contained malicious functionality encrypted and embedded in a folder which is unlocked remotely by the attacker using a DNS server with the Gmail SSL protocol. It was made difficult  to delete as the uninstall option was disabled by the malware.

The app on download appeared to be just 711 lines of code, but once it decrypted its more malicious files, it expanded to 2.2MB.

“The little amount of code in the superficial app is one of the evasion techniques used by the hackers to mask the malicious classes that swell the app’s size,” FireEye said in a blog post.

Users should be able to pick up on the Android malware by looking at the permissions before installation, as it asks for full administrator access, which grants a lot of control to the app.

Malware continues to evolve to target people’s bank accounts. One recent variant, Dyreza or Dyre, was seen hoovering up people’s logins for Citigroup, Bank of America, Royal Bank of Scotland and its subsidiaries NatWest and Ulster Bank.

How well do you know network security? Try our quiz and find out!