Hackers love using popular apps and software to gain the trust of their victims and a recently discovered Android banking trojan is doing just that by impersonating Google Chrome.
According to a blog post, the cybersecurity firm G Data recently encountered a malware strain that masquerades as Chrome by using the browser’s full name and even its app icon. While the distribution method of this new trojan is still unclear, Android malware like this is often spread through phishing attacks or spam messages, which is why you always need to be careful when checking your inbox.
If you’re using an Android phone, here’s everything you need to know about this dangerous new banking trojan along with some tips and tricks on how you can prevent hackers from giving your devices a nasty malware infection.
Hiding in plain sight
What makes malware like this so dangerous is that by hiding in plain sight and impersonating popular apps, potential victims might not even notice something is off until it’s too late.
If an unsuspecting user grant the malware these permissions, a prompt is displayed that says they have been selected to receive a cash prize. However, to claim it, they need to enter their phone and credit card numbers.
Once installed on an Android phone, a discerning user would be able to tell something isn’t right with this fake version of Chrome quite easily. For starters, there’s a black border around the Chrome logo that isn’t there on the official app and while Google’s browser shows up as “Chrome” in your app drawer, this one is displayed as “Google Chrome” instead.
The malicious app starts up immediately upon installation and, like other bad apps do, it requests access to a number of permissions that a browser would never use like being able to make and manage phone calls as well as sending and receiving text messages, yet another big red flag.
If an unsuspecting user does grant the malware these permissions, a prompt is displayed that says they have been selected to receive a cash prize. However, to claim it, they need to enter their phone number and their credit card number. If they do, another prompt tells them that they shouldn’t delete the app for the next 24 hours in order to claim their prize money.
Combing through text messages
Besides tricking users into giving it full access to their phone and their financial data, this malware also uses the permissions it was granted to look through all of their incoming and outgoing text messages. This is done to scan for predefined keywords such as PayPal and WebMoney which indicates that the message is related to a victim’s bank or other financial apps.
These messages are then sent back to a Telegram channel controlled by the hackers behind this malware. From there, 2FA codes and other sensitive financial information can be used to commit fraud or even to flat out drain a victim’s bank accounts or other financial apps.
While this malware does pose a serious threat to Android users, it’s worth noting that as of right now, it is primarily being used to target a Russian-speaking audience. In fact, it’s been dubbed “Mamont” which is the Russian word for wooly mammoth but also a slang term that’s used to refer to cybercrime victims.
Unlike with real-world crime though, malware can quickly be adapted and changed to target an entirely different demographic. The hackers behind the Mamont banking trojan could easily pivot and reconfigure it to target Android users in the U.S., the U.K, Canada and other English-speaking countries.
How to stay safe from Android malware
When it comes to staying safe from Android malware, the first and most important thing is to avoid downloading apps from less than reputable sources. This means sticking to official Android app stores like the Google Play Store, Samsung Galaxy Store and the Amazon Appstore instead of trying to sideload apps.
However, bad apps do manage to slip through the cracks from time to time, which is why you also need to be careful when you open a new app for the first time. Pay close attention to the permissions that are being requested and ask yourself if that particular app really needs access to your text messages or other parts of Android.
From here, you want to make sure that you regularly install the latest updates as soon as they become available. Likewise, you want to double check that Google Play Protect is enabled on your Android phone since it scans all of your existing apps and any new ones you download for malware. For extra protection, you might also want to consider installing one of the best Android antivirus apps alongside it.
In an email to Tom's Guide, a Google spokesperson explained that Google Play Protect should be enough to keep you safe from malicious apps spreading the Mamont malware, saying:
"Google Play Protect automatically protects users by disabling these identified apps. Once the apps are disabled, they cannot run on the device or do any harm on the device. Google Play Protect will also provide a warning and ask users if they would like to fully uninstall."
At the end of the day though, it’s up to you to carefully scrutinize all of the emails in your inbox and the messages on your smartphone. When in doubt, just delete them but if you do open what could be a phishing or spam message, you absolutely want to avoid clicking on any links they contain as well as downloading any attachments.
We’ll have to wait and see if the hackers behind the Mamont Android banking trojan decide to branch out and target users in other countries but at least now you’ll be ready for them.
More from Tom's Guide
