A couple of malicious apps targeting Brazilian Android users were recently found in the official Google Play by experts at Kaspersky Lab. The malicious apps targeted mobile banking users using an appearance similar to the one of the legitimate banking apps, while the first app was published on October 31th and registered 80 installations, the second one was published on November 10th and had only 1 installation.
“This week we spotted the first Trojan banker targeting Brazilian users of Android devices. Two malicious applications meant to pass for apps from local Banks were hosted on Google Play.” reported the security researcher Fabio Assolini in a blog post.
As explained by the researchers the news isn’t surprising, more than 6 million Brazilians currently use mobile banking services and the Brazil is the country with the highest number of infections related banking industry in Q3 as reported in the Q3 threat evolution report issued by Kaspersky.
“Brazil remained the country where users are most often attacked by banking malware, even if its share was down one third. Russia stayed in second place. Italy dropped to 4th position while Germany rose to 3rd place: the number of attacked users in this country grew by 1.5 times.”
The criminal crew that published the malicious apps on the Google Play store is using the name “Governo Federal” (Federal Government)
The malicious apps are very simple, they were designed just to steal login credentials in a classic phishing scheme, Brazilian mobile banking users result particularly exposed to the attack so due to the lack of a strong authentication (i.e. two-factor authentication) for banking app.
The attackers used a free platform to create the malicious apps, ‘App Inventor’, which doesn’t require any particular skill to create a mobile application, but the results are an app big in size as explained in the post:
“To create the malicious app, the (lazy) bad guy decided to use “App Inventor”: a free platform that allows anyone to create their own mobile Android application, no technical knowledge required. The result is an app big in size and full of useless code. But both apps had the function to load the logos of the targeted Banks and open a frame – the phishing page programmed to capture the user’s credentials.” said the post. “The phishing pages of the targeted Banks were hosted on a hacked website. A good soul removed them and inserted an alert to the visitors stating: “Este é um aplicativo Falso, denuncie este app”, meaning “This is a fake app, please report it”. As a result, when the user downloads, installs and opens the fake banking app, this message is displayed inside, instead of the original phishing page”
The Kaspersky Lab team has already reported both apps to Google that promptly removed them from the official Play Store.
Both malicious apps are detected as Trojan-Banker.AndroidOS.Binv.a and security experts have no doubts regarding the fact that cyber criminals will continue to explore official channels to spread malicious code.
A good starting point would be to implement a two-factor authentication for sensitive applications such as banking software.
(Security Affairs – Bazil, banking malicious apps)