Antivirus company ESET announced the detection of 29 banking Trojans disguised as harmless programs on Google Play. It is noted that users of the official application catalog have downloaded them a total of more than 30,000 times.
Trojans masqueraded as legitimate programs: horoscopes, tools for cleaning the system or saving battery power, etc. After being installed on a tablet or smartphone, most applications reported incompatibility with the device and simulated deletion from the system (in fact, the icon was simply hidden from the user's eyes). Some fakes (for example, horoscope apps) performed the functions stated in the description.
Regardless of the method of concealment, at the second stage of the attack, the payload with the banking functionality was decrypted on the device. Next, the Trojan selected a target among the applications installed on the device and injected an appropriate phishing form to enter a username and password. In addition, the malware intercepted and sent text messages to bypass two-factor authentication via SMS and could install other software on the device.
Malicious apps have been uploaded to Google Play on behalf of various development companies. However, the similarities in the source code and the same control server suggest that the forgeries have the same author (group of authors).
Counterfeits were removed from Google Play between August and October 2018.