Crypto users are the most common targets for Trojans affecting Android banking apps, according to a recent ThreatFabric report.
The Amsterdam-based cybercrime unit found more malware mimicking Coinbase and crypto services provider Blockchain.com than any other Android banking app.
In the first quarter of 2021, ThreatFabric detected:
- 14,049 malware applications mimicking Blockchain.com’s app.
- 14,052 fraudulent versions of Coinbase (Android).
- 11,614 samples targeting PayPal’s Android app.
The malware analyzed was built for so-called “overlay attacks.” These target Android users with dropper apps masquerading as legit software, often smuggled to Google’s Play Store or shared via Discord and GitHub.
Android apps under threat of ‘The Rage’
Overlay attacks involve overlaying a fake log-in window on top of an app, which allows hackers to log and steal account credentials.
They then leverage the stolen data to siphon their target’s funds. In Coinbase and Blockchain.com’s case, those would most likely be cryptocurrency.
Overlay attacks were reportedly up 129% in 2020 from the previous year. ThreatFabric even went so far as to label the trend: “The Rage.”
“One of the most obvious catalysts that played an important role in The Rage we are experiencing are the source code leaks of two very effective bots, namely Anubis 2.5 and Cerberus,” wrote ThreatFabric.
“These leaks resulted in multiple private Trojan versions actively targeting regions such as Poland, Spain, Turkey, and Italy [led by] local actors.”
ThreatFabric explained crypto wallet apps like Coinbase are easier to rip-off because they tend to have a single APK (Android Package Kit).
Other banking apps usually deploy different versions for different countries.
[H/T: The Record]