loading...
Cover image for This huge Android trojan malware campaign was discovered after the gang behind it made basic security mistakes

This huge Android trojan malware campaign was discovered after the gang behind it made basic security mistakes

exadra37 profile image Paulo Renato ・2 min read

This article tells us how security researchers were able to uncover a successful hacking campaign, that since 2016 infected the devices of around 800,000 Android users, with a banking information stealing malware.

TLDR

The basic errors:

But despite the apparent success of the campaign, the Geost attackers made some basic errors that have allowed researchers to monitor their whole operation, read chat logs and even identify two of the criminals behind the campaign.

The lack of encryption in their chats:

Researchers uncovered the group when examining samples of HtBot, a form of malware that provides attackers with pseudo-anonymous communication to the internet. However, when using the illegal HtBot service, the attackers didn't encrypt their data, alerting researchers to their activity.

The malware extracts the banking passwords from SMS messages:

Once installed on a device, the malware monitored the text messages of the user and it was via this channel that attackers were able to gain access to bank accounts – because it's still common for Russian banks to send out plaintext passwords to users via SMS.

The attackers are still active:

It's believed that the Geost group is still active and researchers will use their knowledge of the group to keep monitoring their activity – because despite the poor operational security of the attackers, they still have access to a huge network of infected Android devices.

Let's Discuss

From the whole article the most important lesson we can take is from this paragraph:

The initial infection comes in the form of malicious apps – the attackers take legitimate apps from the Google Play store and edit the code to add malicious capabilities alongside the real functionality of the app before uploading it to third-party Android stores to be downloaded by users. The malicious apps are often weaponised versions of popular services, including games, banking and social-networking apps.

This kind of attack shows that we cannot blindly trust the Google Play store when downloading an Android App from the official store. Do you agree?

ERRATA

In the rush to catch the bus back home I missed the obvious, that I even used in my quote from the article:

the attackers take legitimate apps from the Google Play store and edit the code to add malicious capabilities alongside the real functionality of the app before uploading it to third-party Android stores

So while the article I linked does not apply to the Google play store, my question is still valid and pertinent, and you just need to search in Google for android fake apps to see this articles:

A big thanks to Simon Newby for alerting me for my mistake.

Posted on Oct 7 '19 by:

exadra37 profile

Paulo Renato

@exadra37

I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io. Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.

Discussion

markdown guide
 

Not really, it's explicit in the article quote that these are taken from Google Play, reworked and then hosted on other app stores. Google isn't at fault here in this case.

 

Not really, it's explicit in the article quote that these are taken from Google Play,

You are correct here... I may missed it because I was in the rush to catch the bus back home.

But be aware that they can be also published back to the Google Play store, and this is more common then Android users may think, but people that work in infosec are well aware of this.

Thanks for letting me know. I will update my article.

 

Of course, no app store is perfect, unfortunately. I do think Google does a decent job of directing people to legitimate actors when it comes to services such as this, in my own anecdotal experience.

Well I am not really trying to blame only the Google Play store for this, but just trying to start a discussion around it to make people more aware of the problem.

Do you want to share with us your anecdotal experience?

Nothing really special or unusual as far as I know, but when I sought to download relevant banking applications or enterprise authentication, Play store usually jumps the correct app to the top of the list and disqualifies even searching for other apps without my manual choice to navigate away from the desired result.