Malicious Android apps that stole sensitive financial data have been downloaded more than 300,000 times from the Google Play Store, according to a report by researchers at ThreatFabric. They discovered that users were having their bank details stolen by seemingly harmless apps. User passwords, two-factor authentication codes, logged keystrokes and more were siphoned off through apps that masqueraded as QR scanners, PDF scanners, or cryptocurrency wallets. These applications are mainly part of four families of malware: Anatsa, Alien, Hydra and Ermac. Google tried to tackle the problem by introducing several restrictions to seize the distribution of scam apps. This motivated these cybercriminals to develop ingenious ways to bypass the restrictions of the Google Play Store.
In his Publish, ThreatFabric explained that these apps only introduce malicious content through third-party sources after being downloaded from the Google Play Store. These apps would appeal to users by offering additional content through these third-party updates. In some cases, malware operators have reportedly triggered malicious updates manually after tracking the geographic location of infected devices.
Malicious Android apps on the Google Play Store spotted by the researchers included QR Scanner, QR Scanner 2021, PDF Document Scanner, PDF Document Scanner Free, Two Factor Authenticator, Protection Guard, QR CreatorScanner, Master Scanner Live, CryptoTracker, and Gym and Fitness Trainer .
The biggest perpetrator of such activity, according to the report, is the Anatsa family of malware, which has been downloaded over 100,000 times. These apps seemed legitimate as they had received a lot of positive reviews and offered the features described when using them. However, after the initial download from Google Play, these apps forced users to install third-party updates to keep using them. The installed malware could then have stolen banking information and even captured everything that was displayed on the screen of the device.
Google released a blog post in April marking the steps they have taken to deal with these nefarious applications. This included reducing developer access to sensitive permissions. However, according to a test conducted by the German IT security institute AV-Test in July, Google Play Protect failed to provide a competent level of security compared to other leading anti-malware programs. It was only able to detect about two-thirds of the 20,000 malicious applications tested.
The ingenuity of these malware operators has reduced the reliability of automatic malware detectors, says ThreatFabric. Users will need to be vigilant about the access they grant to applications and the sources from which they download applications and their updates.