Malicious Android apps that stole sensitive financial data were downloaded more than 300,000 times from the Google Play store, according to a report published by researchers at ThreatFabric. They found that users had their banking details stolen through seemingly benign apps. User passwords, two-factor authentication codes, logged keystrokes, and more were diverted through apps posing as QR scanners, PDF scanners, or cryptocurrency wallets. These applications are mainly part of four malware families: Anatsa, Alien, Hydra, and Ermac. Google has tried to address the problem by introducing various restrictions to seize the distribution of rogue applications. This has motivated these cybercriminals to develop ingenious methods to circumvent the restrictions of the Google Play store.
In its post, ThreatFabric explained that such apps only introduce malware content through third-party sources after being downloaded from the Google Play store. These apps reportedly attract users by offering additional content through third-party updates. In some cases, malware operators are said to have manually triggered malicious updates after tracking the geographic location of infected devices.
Malicious Android apps on the Google Play store detected by researchers include QR Scanner, QR Scanner 2021, PDF Document Scanner, PDF Document Scanner Free, Two Factor Authenticator, Protection Guard, QR CreatorScanner, Master Scanner Live, CryptoTracker, and Gym and Fitness . Trainer.
The biggest perpetrator of such activities has been the Anatsa malware family, according to the report, which was downloaded more than 100,000 times. These apps seemed legitimate as they had a large number of positive reviews and offered the described functionality at the time of use. However, after the initial download from Google Play, these apps caused users to install third-party updates to continue using them. The installed malware was reportedly able to steal banking details and even capture everything displayed on the device screen.
Google published a blog post in April highlighting the steps they have taken to deal with such nefarious apps. This included reducing the developer’s access to confidential permissions. However, according to a test conducted by the German IT security institute AV-Test in July, Google Play Protect did not provide a competent level of security compared to other prominent antimalware programs. It was only able to detect around two-thirds of the 20,000 malicious apps that were tested.
The ingenuity of these malware operators has reduced the reliability of automatic malware detectors, claims ThreatFabric. Users should be aware of the access they grant to applications and the sources from which they download the applications and their updates.