An analysis of the mobile threat landscape in 2022 found that Spain and Turkey were the most targeted countries for malware campaigns, even if the combination of New and existing banking trojans are increasingly targeting Android devices for on-device fraud (ODF).
Other frequently targeted countries include Poland, Australia, USA, Germany, UK, Italy, France and Portugal.
“What is most concerning is the growing attention towards Device Fraud (ODF),” Dutch cybersecurity firm ThreatFnai said in a report shared with The Hacker News.
“In the first five months of 2022 alone, there has been a over 40% increase in malware strains that abuse the Android operating system to commit fraud using the device itself, making it virtually impossible to detect uncover them using traditional cheat scoring tools.”
Hydra, FluBot (aka Cabassous), Cerberus, Octo, and ERMAC are the most active banking trojans based on the number of samples observed during the same time period.
Accompanying this trend is the continued discovery of new app drips on the Google Play Store under the guise of seemingly innocuous utility and productivity apps to spread malware –
- Nano Cleaner (com.casualplay.leadbro)
- QuickScan (com.zynksoftware.docuscanapp)
- Chrome (com.talkleadihr)
- Play Store (com.girltold85)
- Pocket Screencaster (com.cutthousandjs)
- Chrome (com.biyitunixiko.populolo)
- Chrome (Mobile com.xifoforezuma.kebo)
- BAWAG PSK Security (com.qjlpfydjb.bpycogkzm)
Furthermore, on-device fraud – referring to a stealthy method of making bogus transactions from a victim’s device – made it possible to use previously stolen credentials to log in. into banking applications and making financial transactions possible.
To make matters worse, banking trojans have also been observed constantly updating their capabilities, with Octo devising an improved method to steal credentials from the overlay screen right away. even before they are sent.
“This is done so that login information can be obtained even if [the] the victim suspects something and closes the overlay without actually clicking the fake ‘login’ present in the overlay page,” the researchers explained.
ERMAC, which came out last September, has received notable upgrades of its own, allowing it to pull seed phrases from various crypto wallet applications in an automated manner by leveraging Android Accessibility Service.
Accessibility services have been Android’s Achilles heel in recent years, allowing threat actors to leverage legitimate APIs to serve unsuspecting users with fake overlay screens and capture sensitive information. .
Last year, Google tried to address this by ensuring that “only services designed to help people with disabilities access their devices or overcome the challenges posed by their disabilities are sufficient.” condition to claim that they are accessibility tools.”
But the tech giant goes a step further in Android 13, which is currently in beta, by restricting API access to apps that users have downloaded from outside the app store, make it difficult for harmful applications to misuse the service effectively.
That said, ThreatFnai notes that it can significantly bypass these limitations with a refined installation process, highlighting the need for a more rigorous approach to combatting threats. such threats.
Users are advised to continue downloading apps from the Google Play Store, avoid granting unusual permissions to apps whose purpose is not asking for them (e.g. desktop apps requesting contact list access), and recommend prevent any phishing attempts to install fake apps.
The openness of the Android operating system is both beneficial and harmful as malware continues to abuse legitimate features, while the upcoming restrictions appear to have barely interfered with it, the researchers said. malicious intent of such apps”.
