New campaigns spread banking malware through Google Play

Niels Croese, Lukas Stefanko, Nikolaos Chrysaidos, November, 2017

This year we have seen many different malware campaigns trying to infect users with malicious apps found in the Google Play store. Even though these apps are often removed within days after being reported to Google, they still manage to infect thousands of users. Google scans all apps that are submitted to the Play Store to try and block malicious applications, but the latest campaigns we have seen use techniques such as legitimate applications containing malicious behaviour on a long timer (in this case 2 hours), to circumvent automated detection solutions.


Because our friends Nikolaos Chrysaidos (Avast) and Lukas Stefanko (Eset) also ran into these droppers, we decided to share our knowledge and make this writeup together. You can find their blogs here and here.

In October and November we ran into two new campaigns using droppers in the Play Store through our own detection solution CSD and the Avast mobile detection solution. The first campaign seems to drop the BankBot banking malware. The second campaign drops different kinds of malware, such as the same BankBot banker as the first campaign, but also Mazar and Red Alert. This second campaign has recently been described by Lukas and we will therefore not go into it here, except for adding some additional IOC's we found related to this campaign at the end of this blog.