If you see this update, you are under attack.
Beware — there is a new threat to worry any Android user with popular banking and shopping apps on their phone. A nasty trojan has been discovered attacking more than 750 legitimate banking and shopping apps, presenting a fake login screen over the real app, stealing your credentials as soon as they’re entered.
This new discovery by Cyble comes just days after Google warned Android users that sideloaded apps from third-party stores and direct installs deliver 50–times as much malware as apps from Play Store. Ironically, although this new threat is sideloaded, its dropper is “disguised as Google Play Services,” giving it seeming legitimacy. The attack requires a Play settings update that Google has repeatedly warned can be dangerous.
Cyble has dubbed this TsarBot given the likely Russian origins of its developers, and says it can “remotely control the screen, executing fraud by simulating user actions such as swiping, tapping, and entering credentials while hiding malicious activities using a black overlay screen. It captures device lock credentials using a fake lock screen to gain full control, [and it can]
send stolen data, and dynamically execute on-device fraud.”
Do not click OK to update this Google Play Services app
TsarBot isn’t limited to overlay attacks given its remote control capabilities. One of which relates to two-factor authentication (2FA), a necessity for the apps it attacks, through “lock-grabbing techniques, keylogging, and intercepting SMS messages.”
An attack starts with an install from a dangerous phishing website. Cyble observed a fake version of a token trading platform, but it could be any website and attackers will move on to keep ahead of discovery. “The phishing site delivers a dropper application that stores the TsarBot APK file, implant.apk, in the “res/raw” folder. The dropper utilizes a session-based package installer to deploy the TsarBot malware on the device.”
Example overlay attack screens for popular apps
After install, the Play Services trick comes into play — so to speak. “TsarBot conceals itself as the Google Play Service app and does not display a launcher icon. Upon installation, it presents a fake Google Play Service update page, prompting the user to enable Accessibility services.” Do not click OK to agree this app update.
“By abusing Accessibility services and WebSocket communication,” Cyble warns, “TsarBot underscores the persistent threat posed by banking malware. Users should exercise caution when installing apps, avoid untrusted sources, and remain vigilant against phishing sites distributing such threats.”
Staying safe is very straightforward. Do not install apps from outside Play Store or other official Android stores. Ensure Play Protect is enabled at all times, and do not be lured into disabling or pausing this for an install unless you’re 100% sure it’s safe and know the source beyond doubt. And don’t enable Accessibility Services” unless an app categorically requires device controls to function. It opens up significant risks.
