Privacy Ninja

Android Banking Trojan Spreads via Fake Google Play Store Page

Android Banking Trojan Spreads via Fake Google Play Store Page

An Android banking trojan targeting Itaú Unibanco, a large financial services provider in Brazil with 55 million customers globally, has deployed an unusual trick to spread to devices.

The actors have set up a page that looks very close to Android’s official Google Play app store to trick visitors into thinking they are installing the app from a trustworthy service.

Fake Play Store page dropping malicious APKs
Fake Play Store page dropping malicious APKs
Source: Cyble

The malware pretends to be the official banking app for Itaú Unibanco and features the same icon as the legitimate app.

Also Read: How to Choose the Best Penetration Testing Vendor

If the user clicks on the “Install” button, they are offered to download the APK, which is the first sign of the scam. Google Play Store apps are installed through the store interface, never asking the user to download and install programs manually.

APK information
APK information
Source: Cyble

Hijacking the actual app

Researchers at Cyble analyzed the malware, finding that upon execution, it attempts to open the real Itaú app from the actual Play Store.

If that succeeds, it uses the actual app to perform fraudulent transactions by changing the user’s input fields.

Changing user input fields as required
Changing user input fields to perform transactions
Source: Cyble

The app doesn’t request any dangerous permissions during installation, thus avoiding raising suspicious or risking detection from AV tools.

Instead, it aims to leverage the Accessibility Service, which is all that’s needed by mobile malware to bypass all security on Android systems.

As a recent report by Security Research Labs explains, we are dealing with an Android malware Accessibility abuse pandemic right now, and Google is yet to plug the targeted weak spot.

As such, only the user has the chance to spot the signs of abuse and stop the malware before it gets a chance to perform destructive actions on the device.

Also Read: This Educator Aims to Make Good Cyber Hygiene a Household Practice

Malware requesting permission to these actions
Malware requesting permission to actions
Source: Cyble

These signs come in the form of the app requesting permission to perform gestures, retrieve window content, and observe user actions.

The websites used to distribute the malicious APKs have been reported and taken offline for now, but the actors may return through different domains.

Use the real banking apps

If you want to enjoy the convenience of mobile e-banking, make sure to install the app from the bank’s official website or the Google Play Store.

Moreover, apply updates on the app as soon as they become available and use an AV tool from a reputable vendor.

To ensure maximum account security, use a strong password and enable multi-factor authentication on the app.

If you need to install APKs from outside the store, carefully scrutinize their permissions requests during and after installation.

Finally, regularly check and ensure that Google Play Protect is enabled on your Android device.

Outsourced Data Protection Officer – It is mandatory to appoint a Data Protection Officer. We help our clients quickly comply with their PDPA & data protection requirements.

Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.

Smart Contract Audit – Leverage our industry-leading suite of blockchain security analysis tools, combined with hands-on review from our veteran smart contract auditors.


Leave a Reply

Your email address will not be published. Required fields are marked *


Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.

Powered by WhatsApp Chat

× Chat with us