Malware: A month in review - August 2018

Detections of malicious apps continue to be a major problem for users of the Google Play Store. Whilst there is a vetting process in place, it seems malware are getting around them with techniques as simple as changing their registered developer name on the platform. This has meant that every day there are more detections of malicious apps on the Play Store, many of which are infostealers and target banking credentials. Over the course of August, more than 100 malicious apps were found on the Store.

One notable example of this worrying trend was the discovery of banking malware-laden apps being reported to Google, removed from the Store, and then reappearing sometimes days later. Many of these received thousands of downloads before they were removed. A second case was that of a raft of detections of the Anubis credential stealing malware that was spreading through the Play Store to Turkish users specifically.

Banking Trojans remained a significant threat to users all over the world this month. A significant discovery was reported by a researcher who claimed to have come across a variant of the TrickBot banking Trojan that had keylogging capabilities. This adds one more threatening capability to the already infamous malware. It should also be noted that this malware was one of the key threats of the summer period (June to August).

Elsewhere, Brazilian banking users were targeted with a newly detected family, dubbed CamuBot. Currently, the malware has only been seen targeting business account holders in Brazil. It has not been seen being used in other regions, but it is possible that this may change over time. Also, a new wave of malspam was seen pushing the Ursnif banking Trojan to users in Italy. This is not the first time banking customers in that country have been targeted in this way, with the trend continuing throughout most of the summer. Also in Russia, the mobile banking Trojan Asacub was found to have infected more than 220,000 users. Others were affected worldwide but the main focus was on Russia.

This problem extends into, and is bolstered by, the sale of malware tailored for the financial sector in the Darknet platforms that we monitor. One example of this is the sale of a new ATM malware on the Russian-speaking forum Club2CRD. These malware often target the ATMs of specific banks, coming prepared to deal with particular operating systems and rigged to enable easy looting of machines.

There was a partial uptick in detections of ransomware over August, following on from a steady increase from the middle of the year. This month Shrug2, CryptoNAR, GhostImposter, Ryuk, and Matrix are just some of the new ransomware that have been released into the wild. It is unclear why this has happened, or even if it is representative of the malware environment. However, it could indicate a slight increase in interest from malicious actors in this form of infection following a slight dip at the end of 2017 and into 2018.