{ "id": "d3bc4fad-96fb-402c-9ee7-c9f67be62bba", "created_at": "2026-04-06T00:06:52.456858Z", "updated_at": "2026-04-10T03:30:33.22683Z", "deleted_at": null, "sha1_hash": "da56fa267ad85cc66cfb801432fb65d778d810ef", "title": "Sneaky motion-detection feature found on Android malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 29777, "plain_text": "Sneaky motion-detection feature found on Android malware\r\nBy Jeff Stone\r\nPublished: 2019-01-18 · Archived: 2026-04-05 20:44:36 UTC\r\nA strain of malicious software was activated on Android smartphones only when the infected phone was moved,\r\naccording to research published by security vendor Trend Micro.\r\nThe malware came embedded in seemingly legitimate apps Currency Converter and BatterySaverMobi, which\r\nwere available in the Google Play Store, Trend Micro said Thursday. Once downloaded, the malware sought to\r\navoid detection by monitoring the motion sensor on victims’ devices.\r\nThe logic seems to be that if a hacked phone was moving, the device probably wasn’t a research tool being used\r\nby a security company trying to detect malware, researchers said.\r\n“As a user moves, their device usually generates some amount of motion sensor data,” the company explained in a\r\nblog post. “The malware developer is assuming that the sandbox for scanning malware is an emulator with no\r\nmotion sensors, and as such will not create that type of data. … If it senses that the user and the device are not\r\nmoving (if it lacks sensor data and thus, might be running in a sandbox environment), then the malicious code will\r\nnot run.”\r\nThe malicious code is “strikingly similar” to a banking trojan called Anubis, according to Trend Micro. Thieves\r\nused the hacking tool to record victims’ keystrokes and take screenshots without their knowledge, according to the\r\nresearch.\r\nBatterySaverMobi appeared to have roughly 5,000 downloads and a score of 4.5 stars from 73 reviews, though\r\nmany of those may have been fake, Trend Micro noted. It was not immediately clear how many times Currency\r\nConverter had been downloaded.\r\nGoogle removed both apps upon learning they were malicious.\r\nSource: https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/\r\nhttps://www.cyberscoop.com/android-malware-motion-detection-trend-micro/\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/" ], "report_names": [ "android-malware-motion-detection-trend-micro" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434012, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/da56fa267ad85cc66cfb801432fb65d778d810ef.pdf", "text": "https://archive.orkl.eu/da56fa267ad85cc66cfb801432fb65d778d810ef.txt", "img": "https://archive.orkl.eu/da56fa267ad85cc66cfb801432fb65d778d810ef.jpg" } }