Researchers from mobile security company ThreatFabric report that they’ve discovered a batch of Google Play apps masked as QR code readers, PDF scanners and crypto wallets stealing user passwords, two-factor authentication codes, screenshots and logged keystrokes. The apps have been downloaded over 300,000 times.
The apps belong to four separate Android malware families that have been distributed over the past four months and use several tricks to bypass Google’s restrictions to stop fraudulent apps from popping up on the Play Store.
Anatsa, an Android banking trojan, caused the largest number of infections. It has several capabilities, including remote access and an automatic transfer system to automatically empty victims’ accounts and deliver contents back to the malware operators. The three other malware families include Alein, Hydra and Ermac.
Flying under the radar
The way these apps work is by delivering a safe app, in the beginning, to make it seem safe on the Play Store. Once the app is installed, malicious payloads are delivered through manual updates often downloaded from third-party sources. In their report, the researchers said that some operators even consider a phone’s geographical location or update them incrementally.
The following 12 apps have been found to be participating in the fraud.
|App name||Package name|
|Two Factor Authenticator||com.flowdivison|
|Master Scanner Live||com.multifuction.combine.qr|
|QR Scanner 2021||com.qr.code.generate|
|PDF Document Scanner – Scan to PDF||com.xaviermuches.docscannerpro2|
|PDF Document Scanner||com.docscanverifier.mobile|
|PDF Document Scanner Free||com.doscanner.mobile|
|Gym and Fitness Trainer||com.gym.trainer.jeux|
|Gym and Fitness Trainer||com.gym.trainer.jeux (separate SHA-256 code)|
One of the droppers used to deliver these malicious updates was identified as Gymdrop. The dropper used filters to identify the model of the device to prevent malware installation on researcher devices.
If all conditions were met, the payload would be downloaded and installed. Gymdrop doesn’t require any special accessibility permissions either; it just asks users for access permission. Since the app delivered initially is malware-free, most users just agree to the update. At the moment, the dropper is being used to deliver the Alien malware.