Security researchers from Trend Micro recently unearthed a piece of Android malware known as Anibus that managed to sneak into the Google Play Store with a little bit of creativity. The malware in question was found on two separate apps, though neither of them were widely downloaded.
The way the apps managed to get on the Google Play Store is actually quite clever. In an effort to evade detection from emulators designed to detect behavior associated with malware, the malicious apps were uploaded to the Google Play Store but remained dormant unless motion was detected. Once motion was detected, the payload would spring into action.
This is incredibly shrewd, with Trend Micro noting:
The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data. If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.
The two apps found to contain the malware were masquerading as helpful utility apps, with one being a currency converter app and the other a battery monitoring tool. Both apps had scores of positive reviews, though it stands to reason that the vast majority of these reviews were fake.
The good news is that Google eventually unearthed the apps before they got too popular. The battery app, for example, was only downloaded 5,000 times before Google got wise and pulled the plug.
As for the malware in question, well, it’s particularly nasty. When activated, users are presented with a seemingly legitimate overlay of a banking splash page and are asked to enter in their credentials. All the while, the keystrokes are being logged. Trend Micro adds that Anibus can also steal sensitive credentials and user information by stealthily taking a snapshot of a user’s screen.
Trend Micro has a lot more detail on how the malware operates over here.