Even though a combination of new and current banking trojans increasingly target Android smartphones to perform on-device fraud, according to an estimate of the mobile threat environment in 2022, Spain and Turkey are the top targeted nations for malware operations (ODF).
Poland, Australia, the United States, Germany, the United Kingdom, Italy, France, and Portugal are all regularly targeted nations.
Other frequently targeted countries include Poland, Australia, the U.S., Germany, the U.K., Italy, France, and Portugal.
“The most concerning leitmotif is the growing focus to On-Device Fraud (ODF),” according to a research provided with The Hacker News by Dutch cybersecurity firm ThreatFabric.
“In only the first five months of 2022, there has been a 40 percent growth in malware families that exploit Android OS to commit fraud on the device itself, making standard fraud score extremely hard to detect.”
Based on the number of samples observed over the same time, Hydra, FluBot (aka Cabassous), Cerberus, Octo, and ERMAC were the most active banking trojans.
This trend is being accompanied by the continual discovery of new dropper apps on the Google Play Store that deliver malware under the guise of seemingly harmless productivity and utility apps –
- Nano Cleaner (com.casualplay.leadbro)
- Pocket Screencaster (com.cutthousandjs)
- Chrome (com.biyitunixiko.populolo)
- Chrome (Mobile com.xifoforezuma.kebo)
- QuickScan (com.zynksoftware.docuscanapp)
- Chrome (com.talkleadihr)
- Play Store (com.girltold85)
- BAWAG PSK Security (com.qjlpfydjb.bpycogkzm)
Furthermore, on-device fraud — a covert means of launching fake transactions from victims’ devices — has made it possible to logon to banking apps and conduct financial transactions using previously obtained credentials.
To make matters worse, banking trojans have been seen continually improving their capabilities, with Octo discovering a new technique of stealing credentials from overlay screens even before they are submitted.
“This is done so that [the] credentials may be obtained even if [the] victim suspects anything and closes the overlay page without touching the phony ‘login’ displayed in the overlay page,” the researchers added.
ERMAC, which first appeared in September, has received significant updates that allow it to automate the extraction of seed phrases from several cryptocurrency wallet apps using Android’s Accessibility Service.
In recent years, Android’s Achilles’ heel has been the Accessibility Service, which has allowed threat actors to utilize the official API to provide naïve users with phony overlay displays and steal critical data.
Last year, Google tried to address the issue by requiring that “only services meant to help people with disabilities access their device or otherwise overcome obstacles arising from their disability are qualified to claim that they are accessibility aids.”
However, with Android 13, which is now in beta, Google goes a step further by prohibiting API access for apps that the user has sideloaded from outside of an app store, essentially making it more difficult for potentially hazardous apps to abuse the service.
ThreatFabric, on the other hand, stated that by tweaking the installation procedure, it was able to easily get around these constraints, implying the need for a more stringent strategy to combating such threats.
Stick to downloading apps from the Google Play Store, avoid allowing strange rights to apps that don’t need them (e.g., a calculator app requesting access to contact lists), and be wary of any phishing attempts targeted at installing rogue apps.
“The openness of Android OS serves both good and evil,” the researchers wrote, “as malware continues to misuse legitimate functionalities, while impending limits appear to have little impact on the nefarious objectives of such programs.”