In the Google market Play there are many malicious apps that try tricks to prevent them from being traced. Instead, they use the motion sensor input to a contaminated device before installing a powerful bank trojan to make sure it does not load into emulators that researchers use to detect the attacks.
The rationale behind all this is that sensors are real end-user devices that will record the movement while they are being used. Instead, emulators used by security researchers and probably by Google employees do not use sensors. Recently, two apps with Anubis malware malware on infected devices were discovered from Google Play, which would only trigger the payload every time the traffic was detected. Otherwise, the trojan would dominate.
Also, a company that focuses on security issues, found that a dropper is used to drive traffic into two applications. The first was BatterySaverMobi that had 5.000 downloads and the second was Currency Converter that had an unknown number of downloads. Of course, once it was learned from Google that it existed malware, were immediately removed.
These malicious apps not only use motion detection to hide them but also other ways.
For example, one of the applications that installed Anubis on one device, its dropper used requests and answers via Twitter and Telegram to place the command and check the server. He then enrolled with the C & C server and checked for commands with an HTTP POST request. If the server responded to the application with an APK command and the URL was stuck, Anubis payload would move to the background. The dropper would then try to cheat users to install the app using the False System Upgrade as shown below.
Once Anubis was installed, it used a built-in keylogger that could steal the credentials of the user's account. Also, malware could gain access to credentials by taking screenshots of the infected user.
More specifically, the data showed that the latest version of Anubis had been shared in 93 different countries and targeted users who used financial applications to allow the attackers to exploit the financial information to their advantage. If Anubis succeeds, then the hacker accesses the contact lists as well as the site. It can also access and record sound, send messages, and make calls.
Taking all this into account, we conclude that unfortunately the attackers improve the quality of the malicious Android applications more and more. Second, Android users need to think more carefully before downloading apps from Google Play and be aware of the malicious activities that are being observed. What we recommend for Android users is to always be careful and prefer applications from recognized developers.