News Categories

BankBot malware invades Google Play Store in guise of Jewels Star Classic

By Ian Chee - on 27 Sep 2017, 7:24pm

BankBot malware invades Google Play Store in guise of Jewels Star Classic

Image source: BGR.

The Google Play Store has been a nesting hole of malware this year, from the Charger ransomware that was detected earlier in January, to the 500 apps being removed from the platform just last month. Now, it seems that ESET has found another one, which is a member of the Bankbot family.

The latest iteration was apparently first discovered back in September 4, and features a fairly convoluted infection mechanism by abusing Android’s Accessibility Service. It hides behind the guise of the game called Jewels Star Classic, which is unrelated to the legitimate game Jewels Star by ITREEGAMER. The malicious game has also apparently been downloaded over 5,000 times, according to ESET, before the security company reported the disguised malware to Google.

Image source: ESET.

ESET describes the infection process as follows – the bogus game by GameDevTony is downloaded, which contains the banking malware payload. The malware only triggers about 20 minutes after the first execution of the infected game, with the alert prompting the victim to enable ‘Google Service’, an intentional choice of name considering the official ‘Google Play services’. The only way to get rid of it is by tapping OK, and when the victim does, they’re taken to the Accessibility menu which shows you a carbon copy of Google’s official terms of service.

When activated, it starts asking for all sorts of permissions it has no business having – ‘Observe your actions’, ‘Retrieve window content’, ‘Turn on Explore by Touch’, ‘Turn on enhanced web accessibility’ and ‘Perform gestures’. Granting it all these permissions would bring the victim to a ‘Google service update’ loading page, which obscures the fact that the malware is using those permissions granted to it to install apps from unknown sources, so that it can install BankBot and grant it device administrator status. It then becomes the default SMS app while also getting permission to draw over other apps.

This 'game' is asking permissions it has no business having. <br> Image source: ESET.

From here, BankBot’s overlay will take over your Google Play store screen and ask for your credit card details.

It looks like this pops up even before you buy anything off Google Play Store. <br> Image source: ESET.

This malware is especially dangerous simply because it impersonates Google very well and proceeds to grant itself control over your device. The delay in activation also makes it difficult to detect, and the many components of the malware also make it difficult to find and remove.

Thankfully, ESET has told us the steps required to do it. First is, obviously, determining if your device has indeed been infected by this variant of malware. To do it, you’ll have to look for three things – an app called ‘Google Update’ (Settings > Application manager/Apps > Google Update), an active device administrator named “System update” (Settings > Security > Device administrators), and the repeated appearance of the “Google Service” alert.

If you do find all these, then you’ve got some cleaning up to do. And you start by disabling device administrator rights for ‘System Update’, then delete it as well as the infected app, Jewels Star Classic in this case.

Of course, prevention is better than cure, so ESET urges you to only download from official app stores, checking the number of downloads, ratings and quality of reviews. That last one is usually a pretty good indicator if the app you’re about to download is genuine. Finally, always pay attention to the kinds of permissions that apps are asking for, and only grant them if you’re absolutely sure that those are the kinds of permissions they should be asking.

Follow us here for more Tech News.