Android virus distributed via fake Google Play Store page targets Brazil

Banking malware targets Itau Unibanco services in Brazil with at least 55 million customers worldwide

Banking trojan malware aims at Brazilian bank customers

New Android virus aims at Brazilian bank customers to get banking information from victims. Researchers^[1] discovered the new wave of mobile malware that uses the look-a-like site for the Google Play Store to carry out the scam. Fraudulent financial transactions can be carried out using the service without the device owner's knowledge.^[2] The unusual trick for the malware deployment was used to target 55 million customers of the large financial services provider in Brazil.^[3]

People get tricked into thinking that they are visiting the official Google Play app store, and when they are installing the application from a legitimate service, the malware is released. The site features the same icon as the legitimate application, and once the user clicks the Install button, the download is starting.

The has created a fake Google Play Store page and hosted the malware that targets Itaú Unibanco on it under the name sincronizador.apk.

However, the download is for the APK. This should be the first indication of a scam and the fraudulent page because, normally, Google Play Store programs are installed through the interface of the store. Users should not be asked to manually install applications.

The app avoids detection from AV tools

The in-depth analysis of the malicious programs revealed that the app once executed, tries to open the actual Intau application from the official Google Play Store. Attackers use the store to spread the malware commonly.^[4] If the process is successful, the actual legitimate app is used to perform the transactions by altering the input fields. The malware uses the Accessibility Service that is needed for the mobile virus to avoid security apps and solutions on the Android machines.

Hijacking the real applications is becoming a real issue, based on various reports and analyses on Android malware. This Accessibility abuse is the weak spot targeted by malicious actors. The issue is that the user can notice the signs of leveraging such a spot and stop the malware from performing these destructive actions before the malware infiltration.

These telling signs can be applications asking for permission to perform the actions, retrieve content, observe users' behavior. The particular fake site that was used to distribute the malicious APK has been taken down and disabled, but actors can come back and use other domains or entirely different tactics.

Leveraging the fake app store pages is not new

The method of using the fake pages of official application stores is known and used by malicious actors for a while now. Such attack campaigns allow the attacker to use the platform as a part of the broader operations to spy on particular groups of people.

In March, Meta reported that an attack was held using the social media application.^[5] The issue was aimed at Uyhghut Muslims, and third-party websites used replicas of the news pages and spied on such groups. The resemblance of Android application stores allowed attackers to inject fake keyboards, players, dictionary applications that might be often downloaded by users.

Such fake URL impersonates official marketplaces, hosts malware applications, fakes the numbers for program downloads. Users might launch the imposter apps from the fake page and enable access to the device without knowing. Mainly, these trojans have the goal of financial transactions and tampering with information that is inputted by users. People should install the verified applications only and always check the authenticity to avoid imposters and malicious versions of these app stores, malware attacks.