Updated on September 25 with Google’s advice to users following these new reports and details of another banking trojan now actively targeting Android users.
Google is cleaning up Android. The longtime app free-for-all is coming to an end, with a Play Store cull and tightening of restrictions around sideloading now hitting users, and Play Protect soon to be enhanced with Android 15’s live threat detection. All this is intended to close the gap to iOS and the locked down iPhone ecosystem.
But we still see frequent warnings for users that very serious risks still remain. And that’s certainly the case this week, with two separate security reports. First to Kaspersky, which has warned of the risks from “modified versions of Spotify, WhatsApp, Minecraft, and other apps from Google Play.”
The researchers again highlight the dangers of the Necro Trojan, first reported on in 2019, when they “discovered a Trojan in CamScanner, a text recognition app, which had clocked up over 100 million downloads on Google Play. Now the ‘necromancers’ have injected new blood into the old Trojan: we found a version richer in features both in popular apps on Google Play and in various app mods on unofficial sites.”
Kaspersky says it found the trojan on a Spotify mod distributed outside Play Store, but also hiding in Wuta Camera, which “found its way onto Google Play, from where the app was downloaded more than 10 million times.”
The advice is simple. No to third-party stores, and a bigger no to mods for popular apps from unofficial sources. But “apps on Google Play and other official platforms should also be treated with a healthy dose of skepticism. Even a popular app like Wuta Camera, with 10 million downloads, proved powerless in the face of Necro.”
The trojan has evolved and its obfuscation is far advanced over its earlier iterations. Its intent remains the same, though: “Load and run any DEX files, install downloaded apps, tunnel through the victim’s device, and even—potentially—take out paid subscriptions. In addition, they can display and interact with ads in invisible windows, as well as open arbitrary links and run any JavaScript code.”
The second warning comes from Cleafy, which warns that in June it “identified an unclassified Android banking Trojan… a variant of TrickMo, albeit with newly incorporated anti-analysis mechanisms.”
TrickMo is an evolution of the infamous TrickBot, again with more advanced obfuscation and proactive masking from analysis to hinder discovery. Again TrickMo was first identified back in 2019, and so we see the common pattern again, as these threats evolve and harden as the constant game of cat and mouse continues, as the various defenses put in place around phones and stores improve.
TrickMo’s bag of tricks is impressively complete and includes:
- Interception of One-Time Passwords (OTPs)
- Screen Recording and Keylogging
- Remote Control Capabilities
- Accessibility Service Abuse
- Advanced Obfuscation Techniques
- Anti-Analysis Mechanisms
Again, not something you want on your phone. This malware is distributed by way of a fraudulent Chrome browser update, but one that when installed prompts users with “a warning message prompting users to update Google Play services.”
According to Cleafy, “the new app is deceptively named ‘Google Services’ and poses as a legitimate instance of Google Play Services. Upon launching, the app displays a window to ask the user to enable Accessibility services for the app.” This neat social engineering, disguising malware behind trusted names is unsurprisingly effective.
The common thread here is clear. Do not trust mods or updates or even initial installs of popular apps from anything other than official stores. Do not fall for unofficial mods from anything other than source. And even pay attention to official stores installs for trivial apps from unfamiliar developers.
In response to the new reports, a Google spokesperson told me that “all of the malicious versions of the apps identified by this report were removed from Google Play prior to report publication. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
Google assured that Play Protect will defend users against both Necro and TrickMo. It really is essential that users ensure Play Protect is enabled on devices; once threats are confirmed, this will defend you against infection by any future instances.
Talking of new threats, a third report into new Android malware in short succession has just been released. Again, continuing the theme, ThreatFabric warns that a new Octo variant is targeting users while “masquerading as masquerading as Google Chrome, NordVPN, and Enterprise Europe Network applications.”
Octo itself, part of the Exobot family, is so well established, that the researchers warn that “the discovery of a new version, named ‘Octo2’ by its creator, could potentially shift the threat landscape and the Modus Operandi of the actors behind it.”
Again, continuing the theme this is a case of an evolving malware rather than a totally new threat. “The first samples of the Exobot malware family were seen in 2016. At that time, it was a banking trojan capable of performing overlay attacks and controlling calls, SMS, and push notifications.” The evolution from Exobot to ‘ExobotCompact’ (Octo) came three years later, in 2019.
ThreatFabric says it has detected Octo activity through Malware-as-a-Service campaigns as far afield as “Europe, the USA, Canada, the Middle East, Singapore, and Australia.” The rental of the malware works to accelerate its spread, leveraging multiple other threat actors and the required hardware and obfuscation. The new malware variant, Octo2, is expected to seamlessly replace its predecessor and thus leverage established channels to market.
The researchers say “Octo2’s settings contain traces of multiple applications and apps being on the radar of the actors… It means that once Octo2 detects a push notification from one of the apps on the list, it will intercept it and not show it to the victim. The presence of the app on the list means that it is of interest to cybercriminals, and they are already preparing to attack its users.”
Again as elsewhere, Octo2 uses a fraudulent “Google” notification pop-up to trick Android users into bypassing device restrictions to enable the malware to run. Unsurprisingly, material changes have been made in this latest iteration—but the intent remains to steal app-specific banking credentials through targeted campaigns.
“The emergence of the Octo2 variant signals future challenges for mobile banking security, as its enhanced capabilities and wider usage pose significant risks… Octo2 builds on [its] foundations with even more robust remote access capabilities and sophisticated obfuscation techniques. This makes it harder for security systems to detect and remove it, increasing the malware’s longevity and potential impact.”
Octo may be changing, but the advice for users remain the same; here’s a refresh on the other golden rules for staying safe:
- Stick to official app stores—don’t use third party stores and never change your device’s security settings to enable an app to load.
- Check the developer in the app’s description—is it someone you’d like inside your life? And check the reviews, do they look legitimate or farmed?
- Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
- Once a month, scan through your phone and delete a few of the apps you no longer need or haven’t used in a long time.
- Do not install apps that link to established apps like WhatsApp unless you know for a fact they’re legitimate—check reviews and online write-ups.