Two malware apps have been found in the Google Play Store that activates only when a smartphone moves. The two apps are a currency converter and power saver app and were uncovered by the security researchers at Trend Micro.
The two applications were named Currency Converter and BatterySaverMobi and they deploy a banking Trojan called Anubis. The BatterySaver app was downloaded more than 5000 times and obtained 4.5 stars from 73 reviewers. However, the researchers think that these ratings may have been corrupted.
These two apps make use of the victim’s device and sensors to avoid being detected. They generate a motion sensor information when the users move their device. The apps monitor the phones in which it has been installed for its sensor data, and when detected it will deploy Anubis.
If there is no movement for the device, it means that the device is actually an emulator or sandbox environment and one in which the malicious code could be picked apart by researchers. So the app will not try to deploy its payload if there is no movement.
If the sensors generate motion data then the app will try to trick the user into downloading and installing the Anubis Trojan by APK and fake system update message.
The code is similar to known Anubis samples and connects to a command-and-control (C2) server hosted on domains also linked to the banking Trojan. When a victim allows the app to download its APK and execute, the banking trojan starts to work.
It has a built-in keylogger which records keystrokes and the malware can also take screenshots secretly which can be a technique to steal banking credentials.
The malware has access to contact lists, location data, can record audio, send SMS messages, make calls, and tamper with external storage. All these can let the attackers to spread to other victims using spam messages and fraudulent calls.
Some researchers also claim that Anubis has the capability to act as ransomware.
A previous Anubis campaign was discovered by IBM X-Force researchers in last June. A malware app called “Google Protect,” together with fake shopping and stock market apps masked the Anubis malware deployed for stealing banking credentials.
This latest version of Anubis has been distributed to 93 countries and attempts to extract account credentials relating to 377 financial apps have been done in the wild.
Any issues in mobile security can lead to severe consequences for many users and so they shouled be careful about any app that request for bank credentials make sure that they are legitimately linked to their bank.