Found on the Play Store, QRecorder, was downloaded by over 10,000 Android users. It is believed that eight to eleven thousand British Pounds was stolen from these unsuspecting users. The Trojan was put in place by getting around SMS two-factor authentication and were able to target users and banks in Germany, Poland, and the Czech Republic. QRecorder posed as a recording app, but its real intention was to trick the users to allow it to be able to draw over other apps to give the trojan the ability to run smoothly. After gaining access, information is transferred to the command and control center of the attacker within 24 hours and it is believed they were using Firebase messages to go back and forth with the target device. Payload was then downloaded when the user enabled Accessibility Service. “Once the payload is downloaded it sets triggers for legitimate banking apps. If one of the targeted apps is launched it would create similar like looking activity that overlays official app demanding credentials.” At this time QRecorder has been removed from the Play Store.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased