Malicious Android apps that stole sensitive financial data were downloaded over 300,000 times from the Google Play store, according to a report published by researchers at ThreatFabric. They discovered that users had their banking details stolen by seemingly benign-looking apps. User passwords, two-factor authentication codes, logged keystrokes, and more were siphoned via apps that posed as QR scanners, PDF scanners, or cryptocurrency wallets. These apps are primarily part of four malware families — Anatsa, Alien, Hydra, and Ermac. Google has tried to tackle the problem by introducing several restrictions to seize the distribution of fraudulent apps. This has motivated these cybercriminals to develop ingenious means to bypass the Google Play store restrictions.
In its post, ThreatFabric explained that such applications only introduce the malware content through third-party sources after being downloaded from the Google Play store. These applications reportedly entice users by offering additional content through such third-party updates. In some cases, the malware operators are said to have manually triggered malicious updates after tracking the geographical location of the infected devices.
The malicious Android apps on the Google Play store spotted by the researchers included QR Scanner, QR Scanner 2021, PDF Document Scanner, PDF Document Scanner Free, Two Factor Authenticator, Protection Guard, QR CreatorScanner, Master Scanner Live, CryptoTracker, and Gym and Fitness Trainer.
The biggest perpetrator of such activities has been the Anatsa malware family as per the report, which was downloaded over 100,000 times. Such applications appeared to be legitimate as they had a large number of positive reviews and offered the depicted functionality upon use. However, after the initial download from Google Play, these apps made users install third-party updates to continue using them. The malware installed was then reportedly able to steal banking details and even capture everything shown on the device’s screen.
Google published a blog post in April marking out the steps they have taken to deal with such nefarious apps. This included reducing the developer access to sensitive permissions. However, as per a test conducted by German IT security institute AV-Test in July, Google Play Protect failed to provide a competent level of security compared to other prominent anti-malware programs. It was only able to detect around two-thirds of the 20,000 malicious apps that were tested.
The ingenuity of such malware operators has reduced the reliability of automatic malware detectors, the ThreatFabric claims. Users will have to be vigilant regarding the access they grant to applications and the sources they download the apps and their updates from.