Malicious Android apps that steal sensitive financial data have been downloaded over 300,000 times from the Google Play store, according to a report published by ThreatFabric researchers. They found that users’ bank details had been stolen by seemingly harmless applications. User passwords, two-factor authentication codes, logged keystrokes, and more were pumped through apps that pretended to be QR scanners, PDF scanners, or cryptocurrency wallets. These applications are mainly part of four families of malware – Anatsa, Alien, Hydra, and Ermac. Google has tried to address this issue by imposing several restrictions on the distribution of rogue apps. This prompted these cybercriminals to develop clever means to bypass the restrictions of the Google Play store.
In his mailThreatFabric explained that such apps present malicious content via third-party sources only after being downloaded from the Google Play store. These apps are reported to be engaging users by offering additional content through third-party updates. In some cases, malware operators are reported to have manually triggered malicious updates after tracking the geographic location of infected devices.
Malicious Android apps on the Google Play store found by researchers included QR Scanner, 2021 QR Scanner, PDF Document Scanner, PDF Document Scanner Free, Two Factor Authenticator, Protection Guard, QR CreatorScanner, Master Scanner Live, CryptoTracker and Gym and Fitness. Trainer.
According to the report, the largest perpetrator of such actions is the Anatsa malware, which has been downloaded over 100,000 times. These apps have proven to be legitimate as they have a lot of positive reviews and offer the described functionality in use. However, after the initial download from Google Play, these apps forced users to install third-party updates in order to continue using them. The installed malware was reportedly able to steal bank details and even hijack everything displayed on the device’s screen.
Google published Blog post in April, noting the steps they have taken to combat such nefarious applications. This included restricting developer access to sensitive permissions. However, according to a test conducted by the German IT Security Institute AV-Test in July, Google Play Protect was unable to provide the level of security it needed when compared to other well-known anti-malware programs. It was able to detect only about two-thirds of the 20,000 malicious applications tested.
According to ThreatFabric, the ingenuity of the operators of such malware has reduced the reliability of automatic malware detectors. Users should be vigilant about the access they give to applications and the sources from which they download applications and their updates.