An notorious Android Trojan known as "BankBot" was recently discovered posing as a gaming application on the Google Play Store. It had thousands of downloads before being successfully purged from the marketplace, security researchers have revealed.
Experts from Eset, a Slovakian security company, said this week (25 September) that the Trojan – which aims to steal credit card details – had been spotted using a number of "new tricks" that move away from posing as banking apps in favour of targeting Google Play itself.
The new campaign, discovered on 4 September, impacted users who thought they were downloading a game titled "Jewels Star Classic", a blog post stated.
Before being booted from the marketplace by Google, the Trojan had been downloaded up to 5,000 times.
BankBot was first analysed by Russian cybersecurity experts from "Dr Web" in December last year.
In January, the researchers confirmed that its source code had leaked online – causing a spike in activity.
Now, the evolved strain is able to abuse Google's legitimate "Accessibility Services" and better hide in smartphones and tablets.
Users who downloaded the gaming app would indeed get a functioning product, but after 20 minutes (a method of evading Google's anti-malware scans) it would turn nasty.
After this pre-set delay, the new BankBot Trojan demanded the victim accept a screen prompt to enable a mysterious function called "Google Service" – only escapable by clicking OK.
The user is taken to a legitimate menu screen, where the malware had inserted a fake button.
If the user activated the malicious service, which was not affiliated with Google, the hacker would essentially be granted access to a slew of invasive permissions.
As Eset detailed in its report, the move would give the Android Trojan "a free hand to carry out any tasks it needs to continue its malicious activity".
A pop-overlay screen would claim the phone was updating but, in reality, the hackers were covering up BankBot's true activity – granting themselves access to elevated permissions.
They would then be able to install other apps, launch the Trojan and intercept messages.
Prior BankBot versions found in the wild would mirror popular banking applications in the hope that victims wouldn't realise, and enter their account passwords.
This time, however, it targeted Google Play by overlaying the real app with a form which asked unwitting users to enter financial details to continue using the service.
"If the user falls for the fake form and enters their credit card details, the attackers have essentially won," the researchers warned.
They said that the ability to intercept text messages would let the cybercriminals bypass two-factor authentication, which is often be the last line of defence in this scenario.
"The crooks have put together a set of techniques with rising popularity among Android malware authors: abusing Android Accessibility Service, impersonating Google, and setting a timer delaying the onset of malicious activity to evade Google's security measures," Eset said.
"The techniques combined make it very difficult for the victim to recognise the threat in time."
It remains unknown who is behind the BankBot campaigns – but as the source code is available online it is highly likely that a variety of people have adapted its code for criminal use.
To stay safe from banking Trojans and other malicious software, Android users are advised to only download apps from legitimate sources and remain vigilant when any software asks you to input personal passwords or financial information into suspicious login forms.