Google Play Store Apps That Stole Bank Credentials Were Downloaded 300,000 Times

Over 300,000 downloads from the Google Play store have been attributed to malicious Android apps that pilfered sensitive financial data, as per a report from ThreatFabric researchers. The apps, camouflaged as QR scanners, PDF scanners, or cryptocurrency wallets, surreptitiously harvested user banking details, passwords, two-factor authentication codes, and keystrokes. Identified as part of the Anatsa, Alien, Hydra, and Ermac malware families, these apps prompted Google to enforce restrictions in an attempt to curb their distribution. In response, cybercriminals devised innovative methods to circumvent these restrictions.

ThreatFabric’s explanation clarified that the malicious content is introduced by these applications through third-party sources after initial downloads from the Google Play store. Users are lured with promises of additional content through these third-party updates, and in some instances, malware operators manually initiated malicious updates based on the geographical location of infected devices.

Among the flagged malicious Android apps on Google Play were QR Scanner, QR Scanner 2021, PDF Document Scanner, PDF Document Scanner Free, Two Factor Authenticator, Protection Guard, QR CreatorScanner, Master Scanner Live, CryptoTracker, and Gym and Fitness Trainer.

The Anatsa malware family emerged as the primary offender, amassing over 100,000 downloads. Despite seemingly legitimate appearances and positive reviews, these apps required users to install third-party updates post-download, facilitating the theft of banking details and screen capture capabilities.

Google’s efforts to address the issue, outlined in an April blog post, included restricting developer access to sensitive permissions. However, a July test by the German IT security institute AV-Test revealed that Google Play Protect fell short in providing a robust security level compared to other anti-malware programs, detecting only about two-thirds of the tested 20,000 malicious apps.

ThreatFabric contends that the sophistication of malware operators has diminished the reliability of automatic malware detectors. Users are advised to exercise vigilance in granting access to applications and carefully selecting the sources for app downloads and updates.