ESET experts found a bank trojan in the official Google Play store. Malware was located in the “Education” section under the name DEFENSOR ID and masked a security application.
This is not surprising, as even the famous banker TrickBot has its own malicious Android application.The banker’s description stated thatits task was to increase user security by using end-to-end encryption. In fact, obviously, the application did not increase security.
So, for its work, DEFENSOR ID requested several critical permissions, including changing of system settings, as well as access to the Accessibility Service (Accessibility Service).
The app got into the official Google Play store due to its exceptional stealth. Its operators reduced malicious activity to a minimum by removing all potentially suspicious features, except for one: abuse of the Accessibility Service. Due to this, the application lasted on Google Play for several months”, – say the researchers.
DEFENSOR ID was added to the catalog on February 3, 2020 and at the beginning of May 2020 it was updated to version 1.4.
Any VirusTotal product did not detect a malware
Accessibility service is the famous Android “Achilles heel”. Although the main objective of the Accessibility Service is to facilitate the use of applications for people with disabilities, attackers have been using the service’s capabilities for many years to interact with the system’s interface and applications.
Having received the necessary privileges, the application was able to read any text displayed in any other application and send it to attackers, for example, SMS messages, credentials for logging into accounts, two-factor authentication codes, and so on. Thus, the malware was able to access the accounts of online banks, social networks and the victim’s email.
Malware on Google Play
Considering the name of malware developers, GAS Brazil, we can suggest that the criminals were targeting Brazilian users (although there is not only the Portuguese, but also the English version of the application). Apparently, the name also hinted at a well-known antifraud solution called GAS Tecnologia. This software is usually installed on computers in Brazil, and several banks in the country require access to online banking through GAS Tecnologia.
Together with DEFENSOR ID, the experts found another malicious application called Defensor Digital: both malware used the same management server. Both programs are currently uninstalled from Google Play.
By the way, ESET specialists are not only hunting for Google Play bankers, but they have recently seriously studied and found Android-encoder in Reddit porn groups. Learn how to avoid this trap!
