Often, to complicate dynamic analysis, unpacking actions are performed through commands from the attackers’ server and in several steps: each decrypted module contains the address of the next one, plus instructions for decrypting it.īesides apps with actual malicious functionality, there are various scamming apps on Google Play - for example, ones that imitate services where you can apply for welfare payments and redirect the user to a page asking for their data and payment of a fee.īanking Trojans acquired new capabilities in 2021.
The most common way to sneak malware onto Google Play is for a Trojan to mimic a legitimate app already published on the site (for example, a photo editor or a VPN service) with the addition of a small piece of code to decrypt and launch a payload from the Trojan’s body or download it from the attackers’ server. Especially notable in 2021 were the Joker Trojan, which signs victims up to paid subscriptions, the Facestealer Trojan, which steals credentials from Facebook accounts, and various banking Trojan loaders. Last year saw repeat incidents of malicious code injection into popular apps through ad SDKs, as in the sensational case of CamScanner - we found malicious code inside ad libraries in the official APKPure client, as well as in a modified WhatsApp build.Įxperts also continued to find malware in apps on Google Play, despite Google’s efforts to keep threats off the platform. But it is too early to celebrate: attacks are becoming more sophisticated in terms of both malware functionality and vectors. In 2021, we observed a downward trend in the number of attacks on mobile users.