Warning over malware campaigns that compromised half-a-million Android users

Apps purporting to be utilities for optimising device performance downloaded malware

Security researchers have reported two new malware campaigns targeting Android users with apps that purport to optimise smartphone performance.

The first campaign, identified by Trend Micro, involves nine apps that claim to be utilities, but instead connect to attacker-controlled servers to download malware onto compromised devices.

The apps participating in this campaign include:

• Speed Clean-Phone Booster
• Shoot Clean
• Super Clean Lite- Booster
• Super Clean-Phone Booster
• Quick Games-H5 Game Center
• LinkWorldVPN
• H5 gamebox
• Rocket Cleaner
• Rocket Cleaner Lite

The apps can even login to users' Google and Facebook accounts to performad fraud. The actors behind the malware campaign can also use a compromised device to post fake reviews in favour of malicious apps or to perform multiple ad frauds by clicking on the ads that pop up.

The apps can even login to users' Google and Facebook accounts to perform ad fraud

The malicious apps had been downloaded more than 470,000 times from Google Play, according to the researchers, before they were pulled from the Google Play store.

The campaign, which has been active since 2017, targeted Android users in Japan, the US, Taiwan, India, and Thailand. Google has removed all nine malicious apps from Play, the researchers added.

Asecond campaign, disclosed by the researchers from Cofence, usesphishing emails to install the Anubis banking Trojan on Android devices. Anubis is capable of stealing financial information from hundreds of banking and shopping apps.

After compromising a device, Anubis starts to create a list of installed apps and then compares them against a list of 263 targeted apps.

Once an app is identified for targeting, it is overlaid with a fake login page to steal the user's account details. The latest version of Anubis comes with a keylogging module that can capture keystrokes from all apps installed on the device.

Other capabilities of this banking Trojan include:

• Disabling Play Protect
• Recording audio
• Making phone calls
• Capturing screenshots
• Modifying admin settings
• Opening any URL
• Reading contact list
• Controlling the device via VNC
• Receiving/sending/deleting SMS
• Locking the device
• Searching and encrypting files
• Retrieving GPS location
• Pushing overlays

"Android malware has been around for many years and will be with us for the foreseeable future," the researchers from Cofence warn.

"Users who have configured their Android mobile device to receive work-related emails and allow installation of unsigned applications face the most risk of compromise."

"With the increased use of Android phones in business environments, it is important to defend against these threats by ensuring devices are kept current with the latest updates. Limiting app installations on corporate devices, as well as ensuring that applications are created by trusted developers on official marketplaces, can help in reducing the risk of infection as well," they added.