Malicious apps in the official Google Play are trying clever ways to evade detection by monitoring the motion sensors on the infected phone before installing the bank Trojan, ensuring that it is not installed in the simulator used by security researchers.
Trend Micro researchers report that two Google Play apps only install Anubis Banking Trojans that they use the user and device’s motions to hide their activities. One of the two applications is BatterySaverMobi, with an installed capacity of around 5,000 and a Currency Converter.
Trend Micro researcher Kevin Sun wrote, “One of the ways the app developers hide the malicious server is by encoding it in Telegram and Twitter webpage requests. The bank malware dropper will request Telegram or Twitter after it trusts the running device. By parsing the response’s HTML content, it gets the C&C server (aserogeege.space). Then, it registers with the C&C server and checks for commands with an HTTP POST request. If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background. It will try and trick users into installing it with the fake system update.”
Once Anubis was installed, it uses keystroke loggers and screenshots to steal user login credentials.