The BankBot malware family is abusing Android’s accessibility services to try to install additional apps without users’ permission.
In this particular attack campaign, the trojan has concealed itself inside of two applications available for download on Google’s Play Store.
The first app, “Bubble Shooter Wild Life,” is advertised as a “fun and addictive” mobile game. The second app goes by the name “Earn Real Money Gift Cards“; it claims it can help users gain rewards for free.
Collectively, the apps have collected at most 5,000 installations at the time of this writing.
On 21 August, threat researchers at Zscaler came across the two apps. In their analysis of Bubble Shooter Wild Life, they found that the program uses an obfuscator, a technique commonly employed by malware families to hide their malicious purposes. Decryption of the strings revealed that the app asks for permission to draw over other apps upon start-up.
Once it gains that permission, it waits 20 minutes before displaying a fake message from Android OS designed to trick the user into granting the app to accessibility services, features which are designed to help users with disabilities interact with their mobile devices. (This isn’t the first piece of malware that’s sought to abuse these capabilities.)
With those rights granted, BankBot gets to work by attempting to install a /sdcard/Download/app.apk file. This file wasn’t available at the time, but researchers were able to replicate what would have happened if it had been present.
As Zscaler’s Gaurav Shinde elaborates on the trojan’s activity:
“The malware abused the accessibility service to install that APK file automatically. First it tried to install the APK directly, but it turned out that the installation failed because the “Installation from Unknown Sources” was disabled. So, the app itself opened the Settings menu, turned on “Installation from Unknown Source” and then restarted the app.apk installation process. It accepted all the permissions of the app and completed the app installation successfully.”
SfyLabs, which detected the two apps shortly after Zscaler, feels that the apps are still in development and could begin pushing out additional malicious apps in the near future.
With that said, users should protect themselves by installing apps from only trusted developers on Google’s Play Store. They should also refuse to install any apps that unnecessarily request permission to access Android’s accessibility services.
The problem with finding "trusted developer's" is that it requires a fair amount of detective work. Most free apps only show a name of developer, which is usually the first part of an email address too. Aside from reading reviews, and permissions, as well as privacy & terms of use, it's hard to tell the honesty, or intentions. Most never read beyond a couple reviews, and glance the permissions on install.
But, the SDK's included in many apps present another big problem, for the developer and the customer. As was recently discovered by Lookout Security. Over 500 apps have been removed because of an advertiser SDK. https://blog.lookout.com/igexin-malicious-sdk?source=techstories.org
Seems Google needs to do more work on the
"Google Play Protect Service" formerly, Verify Apps.