This is a rather different piece of news- an Android malware that triggers only when it detects some motion has been detected.

Malware authors think of all kinds of ways in which they could prevent their malware from being detected by security companies and security software. Hence, over the years, they have been creating viruses, worms, Trojans etc which would refuse to activate when they detect that their code is being analyzed.

Different kinds of methods are employed to ensure that malware does not execute their codes when automated analyses done by researchers are in progress. The malware authors believe that when the automated analyses fail to detect malware presence, the researchers would move on and then the malware could trigger its payload. And now, we have Android malware that uses motion-based evasion techniques.

Security researchers at Trend Micro have found two malicious apps on Google Play that drop banking malware which uses motion-based evasion techniques. These apps, named Currency Converter and BatterySaverMobi, were disguised as useful tools; they have now been removed from the Play Store.

These two malicious apps, which seemed to get good reviews (mostly invalid reviews) and which were downloaded thousands of times, dropped the banking malware Anubis. Kevin Sun of Trend Micro writes, in a detailed blog post on the campaign- “We looked into this campaign and found that the apps dropped a malicious payload that we can safely link to the known banking malware Anubis (detected by Trend Micro as ANDROIDOS_ANUBISDROPPER ). Upon analysis of the payload, we noted that the code is strikingly similar to known Anubis samples. And we also saw that it connects to a command and control (C&C) server with the domain, which is linked to Anubis as well.”

The malware tries to hide its activities by detecting the motions of the user and the device, as per the Trend Micro researchers.

The Trend Micro blog post explains, “As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data. If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.”

It further says, “The malicious app monitors the user’s steps through the device motion sensor. If it senses that the user and the device are not moving (if it lacks sensor data and thus, might be running in a sandbox environment), then the malicious code will not run.”

When no movement is detected, the malicious code would run, and the app would display a fake system update dialog. The fake update dialog includes claims of new features like adaptive battery and brightness, simpler ways to navigate the phone etc, seeking to trick the user into downloading and installing the malware’s payload APK.

The developers of the malicious apps hide the malicious server by encoding it in Telegram and Twitter webpage requests. “The bank malware dropper will request Telegram or Twitter after it trusts the running device. By parsing the response’s HTML content, it gets the C&C server ( Then, it registers with the C&C server and checks for commands with an HTTP POST request. If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background,” reads the Trend Micro post.

The Anubis payload, as already mentioned, would try and trick users into installing it with the aforementioned fake system update.

Trend Micro researchers reveal that the malware, which masquerades as a benign app, can steal account information after the user grants it accessibility rights. Similarly, Anubis has a built-in keylogger that could log keystrokes and thus steal the user’s account credentials. The malware could also get a user’s credentials by taking a screenshot of the infected device’s screen.

As per the data collected by the Trend Micro experts, the latest version of Anubis, which has been distributed across 93 countries, could access contact lists, location details etc and could also record audio, send SMS messages, make calls and alter external storage.

Post a comment