Over 300,000 Android users have downloaded these banking trojan malware apps, say security researchers

Cybersecurity researchers at ThreatFabric detail how password-stealing Android banking trojans were disguised as QR code readers, fitness monitors, cryptocurrency apps and more.
Written by Danny Palmer, Senior Writer

Over 300,000 Android smartphone users have downloaded what turned out to be banking trojans after falling victim to malware that has bypassed detection by the Google Play app store. 

Detailed by cybersecurity researchers at ThreatFabric, the four different forms of malware are delivered to victims via malicious versions of commonly downloaded applications, including document scanners, QR code readers, fitness monitors and cryptocurrency apps. The apps often come with the functions that are advertised in order to avoid users getting suspicious. 

In each case, the malicious intent of the app is hidden and the process of delivering the malware only begins once the app has been installed, enabling them to bypass Play Store detections. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

The most prolific of the four malware families is Anatsa, which has been installed by over 200,000 Android users – researchers describe it as an "advanced" banking trojan that can steal usernames and passwords, and uses accessibility logging to capture everything shown on the user's screen, while a keylogger allows attackers to record all information entered into the phone. 

Anasta malware has been active since January, but appears to have received a substantial push since June – researchers were able to identify six different malicious applications designed to deliver the malware. These include apps that posed as QR code scanners, PDF scanners and cryptocurrency apps, all of which deliver the malware. 

One of these apps is a QR code scanner, which has been installed by 50,000 users alone, and the download page features a large number of positive reviews, something that can encourage people to download the app. Users are directed to the apps via phishing emails or malicious ad campaigns

After the initial download, users are forced to update the app to continue using it – it's this update that connects to a command and control server and downloads the Anatsa payload onto the device, providing attackers with the means to steal banking details and other information. 

The second most prolific of the malware families detailed by researchers at ThreatFabric is Alien, an Android banking trojan that can also steal two-factor authentication capabilities and which has been active for over a year. The malware has received 95,000 installations via malicious apps in the Play Store. 

One of these is a gym and fitness training app that comes with a supporting website designed to enhance the legitimacy, but close inspection of the site reveals placeholder text all over it. The website also serves as the command and control centre for the Alien malware. 

Like Anasta, the initial download doesn't contain malware, but users are asked to install a fake update – disguised as a package of new fitness regimes – which distributes the payload.  

The other two forms of malware that have been dropped using similar methods in recent months are Hydra and Ermac, which have a combined total of at least 15,000 downloads. ThreatFabric has linked Hydra and Ermac to Brunhilda, a cyber-criminal group known to target Android devices with banking malware. Both Hydra and Ermac provide attackers with access to the device required to steal banking information. 

SEE: The IoT is getting a lot bigger, but security is still getting left behind

ThreatFabric has reported all of the malicious apps to Google and a Google spokesperson confirmed to ZDNet that the apps named in the report have been removed from the Play Store. Cyber criminals will continually attempt to find ways to bypass protections to deliver mobile malware, which is becoming increasingly attractive to cyber criminals. 

"The Android banking malware echo-system is evolving rapidly. These numbers that we are observing now are the result of a slow but inevitable shift of focus from criminals towards the mobile landscape. With this in mind, the Google Play Store is the most attractive platform to use to serve malware," Dario Durando, mobile malware specialist at ThreatFabric, told ZDNet. 

The convincing nature of the malicious apps means that they can be hard to identify as a potential threat, but there are steps users can take to avoid infection 

"A good rule of thumb is to always check updates and always be very careful before granting accessibility services privileges – which will be requested by the malicious payload, after the "update" installation – and be wary of applications that ask to install additional software," said Durando.


Editorial standards