In order to escape from security researchers using emulators, the Trojan would only trigger when the infected devices moved.
According to Ars Technica, some malicious apps found on Google Play Store has been discovered using a new and clever trick to avoid detection, they use the infected device’s motion sensors to monitor movements before installing a particularly powerful bank targeting Trojan, this is to make sure the Trojan will not load on emulators that security researchers use to detect such Malware.
Emulators normally used by security researchers are unlikely using the device’s motion sensors, and this is most likely the thinking behind hiding behind the motion sensors, real users using their phones are likely to record motion when using their devices, while security researchers using emulators would not. So the malware would remain dormant and would only trigger when motion is detected.
Security firm Trend Micro found the motion-activated malware in two apps, BatterySaverMobi and Currency Converter. BatterySaverMobi already has about 5,000 downloads while the latter and has an unknown number of downloads. Both apps have now been removed from teh google Play Store.
Once the malware is triggered, it would install the Anubis banking Trojan on the device, then it used requests and responses via Twitter and Telegram to locate the malware’s command and control server.
“Then, it registers with the C&C server and checks for commands with an HTTP POST request,” Trend Micro researcher Kevin Sun wrote. “If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background.”
The malware would then try to trick users into installing the app using the fake system update as shown below:
Once Anubis is installed, it would act as a keylogger to steal users’ account credentials and logins. Anubis can also steal the victim’s login credentials by taking screenshots of the infected device’s screen.
According Trend Micro researcher Kevin Sun:
Our data shows that the latest version of Anubis has been distributed to 93 different countries and targets the users of 377 variations of financial apps to farm account details. We can also see that, if Anubis successfully runs, an attacker would gain access to contact lists as well as location. It would also have the ability to record audio, send SMS messages, make calls, and alter external storage. Anubis can use these permissions to send spam messages to contacts, call numbers from the device, and other malicious activities. Previous research from security company Quick Heal Technologies shows that versions of Anubis even function as a ransomware.
Sun provided the following screenshot showing some of the financial apps the the Anubis Trojan is targeting:
Malicious app developers are getting clever and are employing new ways to avoid detection, so this means Android users should always be careful when downloading and installing apps on their devices.