Researchers on Thursday documented two new malware campaigns targeting Android users.

The first involved nine apps that had been downloaded from Google Play more than 470,000 times. With names such as Speed Clean and Super Clean, the apps masqueraded as utilities for optimizing device performance. Behind the scenes, they connected to servers that could download as many as 3,000 different malware variants on compromised devices. Once installed, the apps could log in to users’ Facebook and Google accounts to perform ad fraud. A second, unrelated campaign used cleverly crafted phishing emails to trick users into installing one of the nastiest pieces of malware targeting the Android OS (more about that later).

Not the Play Protect you’re looking for

Once installed, the apps posing as optimizer utilities connected to an attacker-controlled server that’s capable of downloading other malicious apps that perform a variety of fraudulent tasks, including:

Displaying ads from legitimate advertising platforms such as Google AdMob and Facebook Audience Network and then simulating users clicking on the ads

Installing reward apps from the ad networks and running them in a virtual environment to make them more covert

Tricking users into enabling Android accessibility permissions and disabling Play Protect, the malware scanner built into Android. This capability allows malicious payloads to download and install apps without being detected

Using the accessibility function to post fake reviews and log in to users’ Google and Facebook accounts

The campaign—reported by Trend Micro—was most active in Japan, Taiwan, the United States, India, and Thailand. One place the campaign was not active was in China. When Trend Micro researchers modified geographic parameters to China, the apps didn’t do any malicious downloads. (Often, malware campaigns exclude the attackers’ countries of origin to prevent crackdowns by local authorities.)

The apps participating in the campaign included:

App Name Package No. of Installs Shoot Clean-Junk Cleaner,Phone Booster,CPU Cooler com.boost.cpu.shootcleaner 10,000+ Super Clean Lite- Booster, Clean&CPU Cooler com.boost.superclean.cpucool.lite 50,000+ Super Clean-Phone Booster,Junk Cleaner&CPU Cooler com.booster.supercleaner 100,000+ Quick Games-H5 Game Center com.h5games.center.quickgames 100,000+ Rocket Cleaner com.party.rocketcleaner 100,000+ Rocket Cleaner Lite com.party.rocketcleaner.lite 10,000+ Speed Clean-Phone Booster,Junk Cleaner&App Manager com.party.speedclean 100,000+ LinkWorldVPN com.linkworld.fast.free.vpn 1,000+ H5 gamebox com.games.h5gamebox 1,000+

Google has removed the apps from Play.

Anubis returns

The second campaign disclosed on Thursday uses a clever phishing campaign to infect Android devices with Anubis, which is arguably one of the nastiest and most resourceful pieces of malware written for the mobile OS. Anubis is a piece of Android malware that’s known for its ingenuity. In mid-2018, researchers with IBM’s X-Force group documented a variety of Google Play apps that surreptitiously installed the bank and financial fraud malware . Not long after that, researchers found an updated version of Anubis that used the motion sensors of devices to detect when it was installed on researchers’ emulators rather than on a real piece of hardware.

The campaign disclosed on Thursday uses emails that present targets with an attachment that’s ostensibly a billing invoice. In fact, it’s an APK file, which is the format typically used to install Android apps. Devices that are allowed to install apps from sources other than Google Play will display a fake Google Protect message that asks for the two innocuous privileges.

When users click OK, the app disables Play Protect and gains 19 permissions, many of them highly sensitive. Researchers from Cofense—the security firm that documented the campaign—suspect the ruse is the result of the fake message overlaying and blocking the authentic Android dialog.

Anubis then checks infected devices to see if 263 different banking and shopping apps are installed. Once a user opens any of those apps, the malware uses an overlay screen to phish the account password for the app. Other capabilities include:

Capturing screenshots

Enabling or changing administration settings

Opening and visiting any URL

Disabling Play Protect

Recording audio

Making phone calls

Stealing the contact list

Controlling the device via VNC

Sending, receiving and deleting SMS

Locking the device

Encrypting files on the device and external drives

Searching for files

Retrieving the GPS location

Capturing remote control commands from Twitter and Telegram

Pushing overlays

Reading the device ID

The malware also includes a ransomware component that encrypts files in both internal and external storage and adds the file extension .AnubisCrypt. It then sends each encrypted file to an attacker-controlled server.

“The ransomware module is an extra or secondary ‘feature’ that can be enabled remotely once the attacker has no other use for the phone,” a Cofense researcher wrote in an email. “For example, once the attacker has harvested and exploited all the credentials, contacts, emails, messages, sensitive photos, etc., they might chose to encrypt the phone for a ransom or simply destroy the phone out of malice.”

Taken together, Thursday’s disclosures underscore the age-old advice for keeping Android devices free of malware. The first is to be suspicious of apps available in Play. People should steer clear of apps that have relatively few users, come from obscure developers, or have user reviews that report dubious behaviors. Apps that provide minimal benefit or haven’t been used recently should always be uninstalled.

As problematic as Google Play can be, it’s almost always even more risky to obtain apps from third-party sources (unless they’re from Amazon or a developer known to the user or the users’ employer). Under no circumstances should people install apps sent in emails.