The effort to keep our devices free of malware, viruses, and threats is an endless battle and definitely seems winless – at least for the good guys. Malicious apps were found on the Google Play Store … again … and this time they were stealing banking credentials. While it’s great the threats have been removed, we know it’s just a matter of time before more land there.
Discovery of Malicious Apps on Google Play Store
Do you feel like you’re experiencing a bit of deja vu? At this point, it’s comparable to learning there’s another COVID variant lurking around.
Mobile security company ThreatFabric announced in a blog post that a group of apps had been found residing in the Play Store and that they’ve been stealing banking credentials. These masked trojans were downloaded more than 300,000 times before they were found.
The apps stole user passwords and two-factor authentication codes, logged keystrokes, and took screenshots while masquerading as QR scanners, PDF scanners, and cryptocurrency wallets. They belonged to four separate Android malware families.
While Google has put security efforts up to prevent malicious apps from being uploaded, the malware developers were able to sneak in.
“What makes these Google Play distribution campaigns very difficult to detect from an automation (sandbox) and machine learning perspective is that developer apps all have a very small malicious footprint,” explained the blog post. “This small footprint is a (direct) consequence of the permission restrictions enforced by Google Play.
The malware developers were able to get around the Google rules by offering apps that didn’t include a threat initially. After the apps were downloaded, users were asked to download updates with updated features from third-party sources. This provided the avenue for the malware to get through.
There were other methods used as well to limit suspicion around the apps. “This incredible attention dedicated to evading unwanted attention renders automated malware detection less reliable,” stated the ThreatFabric blog post. “This consideration is confirmed by the very low overall VirusTotal score of the number of droppers we have investigated in this blog post.”
The Anatsa malware family was behind more malicious apps than the three others. It had remote access and automatic transfer systems that would steal from unsuspecting users’ bank accounts.
Limiting the Effect of Malicious Apps
The other malware families were Alien, Hydra, and Ermac. The malicious apps they offered on the Play Store included:
- Two Factor Authenticator
- Protection Guard
- QR CreatorScanner
- Master Scanner Live
- QR Scanner 2021
- QR Scanner
- PDF Document Scanner – Scanner to PDF
- PDF Document Scanner
- PDF Document Scanner Free
- CryptoTracker
- Gym and Fitness Trainer.
Make sure you don’t have any of them on your Android devices.
While Google is always quick to pull these apps down, malicious apps on the Play Store is a nagging problem, whether they’re stealing banking information or performing other malicious duties.
But as these most recent malicious apps showed, it can be difficult to identify the apps as malicious. For sure, it’s good practice to avoid apps with bad reviews and a small presence. Also, if you have older, unused apps on your phone, uninstalling them is best.
Read on to learn about malware that was disguised as COVID messages and our review of Emsisoft Anti-Malware.
