Android Malware Posing As Google Play Silently Pilfers Bank Logins

A piece of Android malware has been uncovered that comes disguised as the Google Play app but uses a smart download technique to hide its activities.

The malware’s true purpose is to steal banking logins, hoover up text messages and intercept software certificates designed to prove the validity of communications, according to FireEye, which found the software.

FireEye found email evidence suggesting victims’ bank account passwords had been intercepted by the malware and sent to the hacker’s email accounts. It has worked with Google’s Gmail team to take those email accounts down.

Whilst its ability to pilfer data was a concern, FireEye researchers said the unique thing about the rogue app, which appeared to the user as “Google App Stoy” [sic] and carried the same icon as the Play application, was that it was able to come across as completely benign.

Sneaky Android malware

It was able to do so because on first inspection it appears to have very little functionality,  uninstalling itself when the user attempts to open it, telling the victim the app isn’t working, and leaving no visible traces.

Yet a closer look revealed the app contained malicious functionality encrypted and embedded in a folder which is unlocked remotely by the attacker using a DNS server with the Gmail SSL protocol. It was made difficult  to delete as the uninstall option was disabled by the malware.

The app on download appeared to be just 711 lines of code, but once it decrypted its more malicious files, it expanded to 2.2MB.

“The little amount of code in the superficial app is one of the evasion techniques used by the hackers to mask the malicious classes that swell the app’s size,” FireEye said in a blog post.

Users should be able to pick up on the Android malware by looking at the permissions before installation, as it asks for full administrator access, which grants a lot of control to the app.

Malware continues to evolve to target people’s bank accounts. One recent variant, Dyreza or Dyre, was seen hoovering up people’s logins for Citigroup, Bank of America, Royal Bank of Scotland and its subsidiaries NatWest and Ulster Bank.

How well do you know network security? Try our quiz and find out!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

2 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

2 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

2 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

3 days ago