A new Czech Android Trojan has been detected which has been found to impersonate the QRecorder app. A statement from the police shows that the hacker or group behind it has already stolen over 78 000 Euro from victim accounts.
Fake QRecorder App Turns out to be a Czech Android Trojan
This week the Czech Police reported that a new dangerous Android Trojan has been found out to be particularly active. Five victims from the Czech Republic are known so far to have been affected by it. The current samples are spread on various repositories as a fake copy of the QRecorder app. Successful installations from the Google Play repository alone number more than 10 000 instances. The impersonating app itself is a call recording solution, its description and attached screenshots showcase a typical entry having no suspicious elements.
Like other popular Android threats upon installation and first run it will request permissions to draw over other apps. When they have been granted the Czech Android Trojan will be able to control what is displayed to the user. This will trigger its built-in behaviour patterns, one of the first actions that are done is to report the infection to the criminal controllers. The analysis reveals that within 24 hours the infected devices will receive instructions. When no instructions are given the Android Trojan will not initiate any action.
The attackers have been found to use Firebase messages to communicate with the Trojan-infected devices. The slave malware QRecorder app will check for the presence of predefined banking apps. If none are found links will be found to encrypted payloads. The slave client will download them and decrypt the contents. Before the this step is initiated the user will asked additional permissions — to activate the Accessibility service. Through it the infection will be performed.
When the payload code is executed it will monitor for the download and launch of certain banking applications. A scam overlay will be created which will automatically harvest any credentials that are entered by the victim users.
The text strings that have been found in the Trojan’s source code reveal that the main targets appear to be Polish, Czech and German banks. So far two packages have been found to contain the Android Trojan:
- com.apps.callvoicerecorder
- gjfid.pziovmiq.eefff
The official statement can be accessed here.