You’ll probably recall the ancient Greek story about a deceptive gift that led to the fall of the city of Troy. Well it still works, despite the latest measures taken by Google like Play Protect, modern permission enforcements and their more overarching Android Security program.
Take QRecorder, for example - an app to record phone calls. Sounds good so far. It has over 10,0000 downloads and works as you’d expect. After installation it asks for permission to draw over other apps - just to display its widget on a call screen - which seems legit. But then the app abuses this right and tricks the user into giving it accessibility permissions by displaying a fake "Enable Google Service" alert.
What "Google Service"? When? And why now? While victims believe they are enabling some sort of “Google Service" they’re actually enabling accessibility features - and by using this permission QRecorder will automatically download, install and open a malicious payload.
After that, once a user launches an original banking app this trojan will show a fake overlayed login screen and no one notices the difference. And yes, it can read SMS, thanks to accessibility.
Details and video are available here: https://lukasstefanko.com/2018/09/banking-trojan-found-on-google-play-stole-10000-euros-from-victims.html
Here is related Press Release from the author of original QRecorder:
So the base source code of this DIY-trojan was bought on the marketplace and its additional malicious part seems like a well-known BankBot, already seen in a series of high-profile crimes.
As a bottomline - vendors do a lot of efforts to protect us, but still we cannot fully rely on them, so think twice before your next "Ok" answer.
Please sign in to leave a comment.