Spanish and Turkish malware campaigns are most commonly targeted in 2022, despite a mix of new and existing banking trojans increasingly targeting Android devices to commit on-device fraud (ODF).

Poland, Australia, the U.S., Germany, France, Italy, and the U.K. are a few more countries frequently targeted.

According to the Dutch cybersecurity company ThreatFabric, the most worrying trend is On-Device Fraud (ODF).

During the first five months of 2022, there has been an increase of 40% in malware families that abuse Android OS to perform fraud, making traditional fraud scoring engines nearly impossible to detect."

According to the number of samples observed during the same period, Hydra, FluBot (aka Cabassous), Cerberus, Octo, and ERMAC were the most active banking trojans.

The Google Play Store continues to be inundated with new dropper apps that disguise themselves as seemingly innocuous productivity and utility applications to distribute malware.

Additionally, on-device fraud - which refers to bogus transactions initiated using the devices of victims - has made it possible for criminals to use previously stolen credentials to log in to banking applications and conduct financial transactions.

As a result, banking trojans have also been observed constantly updating their capabilities, with Octo devising a method for stealing credentials before they even are submitted from overlay screens.

The researchers explain that this is done so that credentials can be obtained even if a victim suspected something and closed the overlay without actually clicking the fake 'login' present in the overlay.

The ERMAC software, which was launched in September, has seen noticeable upgrades that will enable it to siphon seed phrases automatically from different cryptocurrency wallet apps utilizing Android's Accessibility Service.

Since Android's introduction in the mid-2000s, the Accessibility Service has been the Achilles' heel, offering threat actors a way to leverage legitimate APIs to serve unsuspecting users malicious overlays and capture sensitive information.

Google's approach aims to combat the problem by ensuring that "only services designed to help people with disabilities use their mobile devices, or otherwise overcome challenges stemming from their disabilities, are eligible to declare themselves accessibility tools."

With Android 13, the tech giant is going even further, restricting API access to apps that a user has sideloaded from outside of an app store, effectively making it harder to misuse the service for harmful purposes.

ThreatFabric claimed to be able to bypass these restrictions trivially through a tweaked installation process, suggesting a need for a more restrictive approach to counteract threats of this nature.

The Google Play Store is the safest place to download apps, avoid authorizing unusual permissions to apps that don't need them (e.g., a calculator app requesting contact lists access), and keep an eye out for phishing attempts.

Despite the openness of Android, malware continues to abuse legitimate features, despite upcoming restrictions hardly interfering with the malicious intentions of such apps, according to the research.