Android fans are being warned about a nefarious app found on the Google Play Store which can wipe out banking accounts and cryptocurrency wallets. Security experts at ESET discovered the “extremely dangerous” app on the Google Play Store which is “exceptionally insidious”. The malicious Android app, known as DEFENSOR ID, managed to get on Google’s official Play Store marketplace by using extremely stealthy methods.
ESET said it managed to evade Android security checks by limiting the app’s malicious surface to the bare minimum.
The one malicious function that remained was abusing the Accessibility Service, which has long been an Android weak point that threat actors can exploit.
In a post online, ESET malware researcher Lukas Stefanko said: “Accessibility Service is long known to be the Achilles’ heel of the Android operating system.
“Security solutions can detect it in countless combinations with other suspicious permissions and functions, or malicious functionalities – but when faced with no additional functionality nor permission, all failed to trigger any alarm on DEFENSOR ID.
- Samsung Galaxy users might want to avoid the next major Android update
“By ‘all’ we mean all security mechanisms guarding the official Android app store (including the detection engines of the members of the App Defense Alliance) and all security vendors participating in the VirusTotal programme”.
The ESET study revealed that after the app is installed on an Android device it asks for a number of permissions when started up.
One of these is to “activate accessibility services”, and if a user agrees to this then the app can read any text displayed in any app on a device and send it to attackers.
This means that threat parties can steal login credentials as well as sensitive SMS details such as 2FA codes need to access important accounts.
The huge amount of data the app can access opens the door to it gaining the necessary details to login into online bank accounts as well as cryptocurrency wallets.
It can also gain access to social media accounts as well as other sensitive information.
- Android 11 is a serious upgrade for your phone: here’s why
ESET said they reported their findings to Google and the app was subsequently taken off the Google Play Store.
Stefanko said: “DEFENSOR ID was released on Feb 3, 2020 and last updated to v1.4 on May 6, 2020. The latest version is analysed here; we weren’t able to determine if the earlier versions were also malicious.
“We reported it to Google on May 16, 2020 and since May 19, 2020 the app has no longer been available on Google Play.”
The latest Android alert comes hot on the heels of another warning, with dozens of apps being taken off the Google Play Store recently.
Over 30 popular apps were taken down from the official Play Store marketplace after it wad discovered the software could bombard users with unwanted ads.
The apps were also capable of intrusive browser redirects, which would take Android fans to websites without them ever clicking on a link.
The discovery of these malicious and adware-packed apps was made by the team at WhiteOps, which believes a criminal group were behind the threat.
A total of 38 applications have now been deleted from the Play Store but during their life on the online store they were downloaded a total of 20million times.
In a post on its website, WhiteOps said: “What these apps all have in common – besides their fraudulent tactics – is their focus on beauty. Most purport to be selfie apps that add beauty filters to users’ pictures, while at the same time showing ads out of context and making it nearly impossible to remove the apps themselves. In the time since that first app was published, the fraudsters published a new app every 11 days on average. And on average, those apps were pulled down from the Play Store 17 days later.
“These numbers tell a story of a cat and mouse game, in which the Play Store hunts down the fraudster and keeps them in check by removing fraudulent apps as quickly as they’re discovered. The fraudster likely developed a more robust mechanism to avoid detection and removal. A batch of 15 apps, all published after September 2019, had a much slower removal rate using those new techniques.”
Source: Read Full Article