The official Android applications marketplace, Google Play Store, is unintentionally distributing a type of banking malware known as BankBot.
The Android malware was first discovered in the Play Store in April 2017.
Soon after its discovery, it was eliminated only to be thereafter re-discovered by security experts in September.
The malware has again resurfaced in the Play Store has surpassed application verification and security control protocols for the third time.
Despite the fact that Google Play Store markets itself as the place to source malware-free applications, it seems a few major security problems have plagued the tech giant.
The Android malware is designed to steal users’ banking credentials, payment details and important financial data.
The malware works by tricking users into providing their banking information by presenting a fake login window with an interface that looks identical to that of a banking application login page.
Upon initializing, the malware identifies a variety of mobile financial applications on the victim’s device and adapts the most effective phishing attack that displays a fake version of the banking application installed by the user.
The sophisticated malware can also bypass security controls such as two-factor authentication using text messages.
It monitors the user’s secondary method of authentication so that it provides attackers with every piece of information they need to compromise the victim’s banking data.
This latest version of the BankBot Android malware was discovered by RiskIQ security researchers, who identified it on the Play Store as an application called “CryptoCurrency Market Prices.” The app is complete with a fake logo and a verified by Google Play Protect designation such that it appeared like a legitimate money converter and trusted application to users.
The application was also equipped with a legitimate feature for monitoring digital currency that is designed to compare the value trends for top-performing cryptocurrencies such as Bitcoin and Ethereum, alongside others.
This way, the application managed to bypass the Google Play Store security check.
The attackers also updated the application and Android malware regularly to avoid detection by Google security tools.
By developing a working application, the group behind BankBot could easily achieve their goals as users tend to uninstall apps that crash often or do not work properly.
The application seemed fully-functional and, therefore, spread across the world rapidly, hitting both cryptocurrency and banking application users.
When the Cryptocurrency Market Prices application is installed, it requests for some intrusive permissions such as the ability to not only send and read messages but also the ability to access the internet and write to external storage.
Once granted all the necessary permissions, the application can overlay a false login interface, extract the stolen financial information and transmit it to the attacker.
With this information, the attacker can potentially make purchases, sell the stolen credentials or commit other types of electronic fraud for self-benefit.
It is clear that the cybercriminals behind the Android malware update it regularly.
Since its first appearance, the malware has improved its code obfuscation, as well as its payload dropping functionality and its ability to exploit Play Stores’ accessibility service uniquely.
The malicious app had a few thousand downloads before detection and was removed from the Play Store immediately after Google received a security report.
However, security researchers say it is likely that the Android malware will appear again with modified code and further improvements that will enable it to continue to bypass Play Store’s protection and security policy.
Considering the skyrocketing prices of cryptocurrencies, particularly Bitcoin, attackers are adopting old malware strains and modifying them so that they can slide past Google’s initiatives to target high-potential niches like the financial market.
Although Google has made several claims that it embraces the best security practices to protect its vast majority of more than 1.4 billion Android users from malware, they have yet to make the Google Play Store as clean as that of its main competitor the Apple App Store, which is better but not completely secure by itself.
The continued Android malware infiltration is an embarrassing moment for Google just after delivering better security updates like the recently rolled-out Google Play Protect feature.
The BankBot Android malware resurfaced a few weeks after cybercriminals managed to upload a fake version of WhatsApp on Play Store, which was downloaded by more than a million Android users before it was detected and removed.