Avast researchers encountered banker variants that misuse Android accessibility services and steal sensitive data
With the sudden spread of Covid-19, the need for some tool that would help trace contact between people quickly arose. The purpose of tracking applications is to use smartphones as a tool to track interactions between people in order to provide information to users if they have come in contact, or have been in close proximity, to a person confirmed positive of infection with the virus.
Tracking applications are now often encouraged or even mandatory to use in many countries, and therefore have a high number of users. With that, many malicious applications resembling official versions of these tracking applications have begun to appear. Mostly, with the intention to steal sensitive information from users.
Some of the most popular threats these users can encounter are being infected by bankers or spyware applications.
A banker is a type of malware application that usually misuses Android’s accessibility service to grant itself the capability to steal sensitive data — more specifically, log-in credentials, passwords, and one-time authentication tokens.
Similar or identical icons and names resembling the original application are often used to trick the user into thinking that the application is legitimate.
These types of apps usually don't offer the advised Covid-19 related functionality to the user, and their purpose is only to collect the user's sensitive data. Most of them hide their presence on the device shortly after installation in hope that the user will eventually forget they ever installed them.
We’ve encountered several variants of such bankers for some of the official tracking applications, specifically British Covid Symptom Tracker, Indian Aarogya Setu, and Russian app.
Spyware is a type of malware that, without the user’s consent, tracks their activity on their phone. Given the focus of the original apps, and the expectations they set (i.e. contact tracing), these apps are already expected to be able to access some personal information from the start. It is therefore not surprising that spyware authors are cashing in on this fact, and covertly slip in a couple extra permissions to track even more of the users’ activities.
In some cases, the spyware app masking as the legitimate app tricks the user upon installation into granting it all sensitive permissions. We’ve often seen that the original legitimate app is installed afterwards by the spyware app to actually give the user the required functionality they were after, leaving the spyware app to hide itself from sight (by hiding its launcher icon) and remain installed on the victim’s device. All the collected sensitive data, call logs, SMS logs, and anything the spyware operator is after, is then silently sent to the attacker’s servers in the background.
As in the case of bankers, a similar or identical name and icon resembling the original app is used to deceive the user and force them into the installation of this spyware application.
First, and probably the most important thing, is to make sure that the source you are downloading the application from is reliable. Make sure you are using the government or public health office’s official websites, websites of the official provider of the application, or official app stores — Google Play or the App Store.
Don't rely solely on the icon — since this is usually the only part that bankers share with the official app. In the case of bankers, a very good indicator that the app is malicious is its package name, which is often composed of a random set of letters. For example: zpihicsrqznizsqcmw.xdfkqojzwozggpbyplbnheeify.ftfdjaeofqyainaghrdd.
The size of the app can also be an indicator that there is something suspicious, since most of the official apps have a size roughly between 10MB to 20MB, and the malicious app is usually much smaller (1-4MB). But that’s not always the case.
If anything feels off, best to be cautious and double-check the available official materials or use some guidance from someone who may be more experienced.