Banking trojan apps on Google Play use motion sensor to hide when detection counts

Credit: ID 132567978 © Andrey Pronin |

Developers of malicious Android apps on Google Play are testing out a new trick: stay still   if the device’s motion sensor says the device — and user — is not on the move. 

The tactic works on the assumption that malware detection happens when an app is running in a sandbox where it is likely to be if it were being analyzed by an anti-malware solution. 

Researchers at Trend Micro spotted two malicious apps on Google Play that displayed this behavior and were installing banking malware called Anubis. It’s historically been associated with delivering a banking trojan to Turkish Android users, according to Sophos

Sophos found the apps acted as downloaders that appear safe when entering the Play store, but eventually download malicious apps.   

The two new apps found by Trend Micro were masquerading as a currency exchange tool, called Currency Converter, and a battery saver app, BatterySaverMobi. Google has now removed them from the Play store, however they’d been download thousands of times and had attracted favorable reviews from scores of Android users. 

The developers use of motion sensors for evasion is notable, utilizing the characteristics of different apps that do or don’t produce motion sensor readouts. 

“The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data. If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data,” explains Trend Micro researcher Kevin Sun. 

The malware uses the device’s motion sensor to detect whether or not the user is walking and the device is not the move. If both the device and user are still, there’s no sensor data, which means there’s a chance the app is running in a sandbox. If that’s the case, then the malicious code remains on standby. 

There’s still some social engineering involved to get the malware to run, which relies on a bogus system update the user is prompted to install, a supposed “stable version of Android”.

The malware’s backend infrastructure also relies on Telegram and Twitter web requests to establish trust with the affected device and connect to a command and control server and ultimately stealthily install the Anubis banking trojan on the device. This process happens if the user approves the bogus system update. 

Anubis doesn’t rely on fake screen overlays to steal credentials, but rather has a keylogger function and can take screenshots to capture sensitive information like credentials. 

The app has reached 93 countries and contains tools to target 377 financial apps to acquire account details. Like most information stealers, it also can access user contacts, location, and has permissions to record audio, send SMS messages, make calls, and modify external storage.          

The idea of using motion sensor data for malicious purposes isn’t new. Research that IBM contributed to in 2012 exploited the fact that any app could access accelerometer and orientation sensor data as they are not protected under Android's security model. 

Read more: US government shutdown leaves .gov sites with expired HTTPS certs

The proof-of-concept Android malware used phone movements to correlate key security events, such as the device’s movement when typing in a device unlock PIN or entering a credit card number when holding the phone during a call.     

Tags malwareGoogleAndroidtrend microGoogle Play

Show Comments