ESET researchers have alerted the public to a dangerous application available for download at Google Play. The tool, QRecorder, was built to record calls, however its continued use has become dangerous following one of its recent updates. The updates allowed attackers to gain remote access to mobile banking apps of Android users. ESET is able to detect the threat, Android/Spy.Banker.AIX, during the installation of the application. The QRecorder app for mobile Android devices is estimated to have tens of thousands of users in German-speaking countries (DACH), Poland and the Czech Republic.
“We have been able to detect that the originally legitimate application, QRecorder, a tool for recording calls has been trojanized. Through our analysis we’ve determined that one of its latest updates has turned the app into malware. It allows dangerous content to be loaded into android devices, which is exactly what has happened.” says ESET security expert Miroslav Dvorak. At present, Google play contains an updated version of the QRecorder application (author: PA Production, application ID: com.abc.callvoicerecorder), one which no longer poses any threat according to our latest findings . The original version of QRecorder (author: NickBaze, application ID: com.apps.callvoicerecorder) has already been removed from the store at ESET’s notification. “Using this malware, the attackers are primarily targeting users from the Czech Republic, Poland and German-speaking countries or more precisely, they target everyone with Czech, Polish or German language localization of the Android set by default,” he adds.
Based on ongoing analysis by ESET, we can demonstrate that malware in the phone waits for an encoded command from the attacker’s C&C server, which triggers a desired activity. In the first phase the malware inspects the device for any applications with potential for monetization, not only banking apps. A module is then downloaded to the phone, creating an invisible layer above the targeted application, for instance mobile banking, and then scans the user’s login credentials. Attackers also gain access to text messages which are the most frequently used second factor for authentication used during financial transactions. The attackers can therefore freely transfer money from the victim’s bank account via remote access, all without the user being aware of the transactions.
It’s not entirely clear how a user can defend himself in this case. The application was downloaded from a legitimate source, Google Play, and didn’t present any prior risks. Apart from installing mobile security software, the only way to defend against the malware is via a thorough control of the access(es) requested by the application with regard to its primary and legitimate purpose.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.