Skip to content

12 Google Play apps caught stealing bank credentials

  • by
  • 2 min read

Researchers from mobile security company ThreatFabric report that they’ve discovered a batch of Google Play apps masked as QR code readers, PDF scanners and crypto wallets stealing user passwords, two-factor authentication codes, screenshots and logged keystrokes. The apps have been downloaded over 300,000 times. 

The apps belong to four separate Android malware families that have been distributed over the past four months and use several tricks to bypass Google’s restrictions to stop fraudulent apps from popping up on the Play Store. 

Anatsa, an Android banking trojan, caused the largest number of infections. It has several capabilities, including remote access and an automatic transfer system to automatically empty victims’ accounts and deliver contents back to the malware operators. The three other malware families include Alein, Hydra and Ermac. 

In the News: Pixel 6a rumour roundup: Leaked specs, renders and more


Flying under the radar

The way these apps work is by delivering a safe app, in the beginning, to make it seem safe on the Play Store. Once the app is installed, malicious payloads are delivered through manual updates often downloaded from third-party sources. In their report, the researchers said that some operators even consider a phone’s geographical location or update them incrementally. 

12 Google Play apps caught stealing bank credentials
The four malware families operating on the batch | Source: ThreatFabric

The following 12 apps have been found to be participating in the fraud. 

App namePackage name
Two Factor Authenticatorcom.flowdivison
Protection Guardcom.protectionguard.app
QR CreatorScannercom.ready.qrscanner.mix
Master Scanner Livecom.multifuction.combine.qr
QR Scanner 2021com.qr.code.generate
QR Scannercom.qr.barqr.scangen
PDF Document Scanner – Scan to PDFcom.xaviermuches.docscannerpro2
PDF Document Scannercom.docscanverifier.mobile
PDF Document Scanner Freecom.doscanner.mobile
CryptoTrackercryptolistapp.app.com.cryptotracker
Gym and Fitness Trainercom.gym.trainer.jeux
Gym and Fitness Trainercom.gym.trainer.jeux (separate SHA-256 code)

One of the droppers used to deliver these malicious updates was identified as Gymdrop. The dropper used filters to identify the model of the device to prevent malware installation on researcher devices. 

If all conditions were met, the payload would be downloaded and installed. Gymdrop doesn’t require any special accessibility permissions either; it just asks users for access permission. Since the app delivered initially is malware-free, most users just agree to the update. At the moment, the dropper is being used to deliver the Alien malware. 

In the News: China’s new surveillance system targets journalists, foreign students

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>