In January, security researchers warned that Android users may soon face a spike in malware attacks after the source code of a banking Trojan leaked online. Now, confirming the fears, Google is taking action after sneaky malware crept onto its official app store.
On 17 April (Monday) the strain, dubbed "BankBot", was discovered in an application called "HappyTimes Videos" on Google's Play Store. In addition, experts from Securify, a Dutch cybersecurity firm, recently found another infected app there, titled "Funny Videos 2017".
The Trojan is able to pose as legitimate services, mostly banks and financial institutions. However, once launched on a victims' device it can hijack financial details.
In total, security researchers believe the app is now targeting over 400 Android-based applications.
According to Bleeping Computer, the hackers devised a method of circumventing Google's automated security scanners. "HappyTimes Videos" was updated on 8 April and had between 1,000 and 5,000 downloads. That's "quite a lot" for malware, said Securify's Niels Croese.
The web giant has removed both offending apps from its store front. IBTimes UK contacted Google for comment regarding the claim its automated protection capabilities had been breached – however we had received no response at the time of publication.
Dr Web, a Russian anti-malware firm, was among the first to reveal how BankBot works by showing a fake login window over a victim's legitimate application.
After downloading and analysing the leaked code, its experts said the Trojan is able to "mirror" popular services including PayPal.
A slew of other escalated privileges obtained by the malware – which circulates via third-party app stores – can give an attacker the ability to send text messages; intercept call data; intercept text messages; obtain all contact list phone numbers and track device geolocation via GPS.
It also has the ability to steal information and can track the launch of applications including Facebook, Snapchat, WeChat, Instagram and Twitter. In each instance, it displays a "phishing" screen that closely resembles the official Google Play dialogue box and then asks for details.
At the time, Dr Web researchers warned more variants were likely to surface as the source code was modified further. "As cybercriminals created it with publicly available information, one can anticipate that many Trojans similar to it will appear," the team said in a blog post.
Security commentator David Bisson, writing on Graham Cluley.com, addressed BankBot concerns, saying: "Users should research an app carefully before they install it on their phones."
"Specifically, they should read the user reviews while staying alert for complaints about unexpected behaviour and look at the permissions for unusual requests. They should also install a mobile anti-virus solution on their phones just to be safe," he added.