A recent report from cybersecurity firm ThreatFabric reveals that over 300,000 Android users installed trojan apps that secretly stole their banking information. While the apps have been removed and deactivated by Google, the developers used unique methods to deploy the malware that all Android users need to be wary of.
ThreatFabric’s report only mentions a few of the malicious apps, but they include QR scanners, PDF scanners, fitness trackers, and crypto apps. Unlike other fake apps that falsely advertise their features, many of the apps in this batch of malicious Android software worked as intended. But behind the scenes, the apps were stealing passwords and other user data.
The researchers broke the apps into four separate “families” based on the specific malware used:
- Anatsa: The largest of the four malware families, with over 200,000 combined downloads, used a banking trojan called Anatsa. The trojan uses Android’s screen capture accessibility features to steal login information and other personal data.
- Alien: The second-most downloaded trojan was Alien, installed on over 95,000 devices. Alien intercepts two-factor authentication (2FA) codes, which hackers can then use to log into a user’s bank account.
- Hydra and Ermac: The last two families used the Hydra and Ermac malware, both of which are linked to the Brunhilda cybercriminal outfit group. The group used the malware to remotely access a user’s device and steal banking information. ThreatFabric’s report says apps using Hyrda and Ermac racked up a combined 15,000+ downloads.
ThreatFabric reported the apps to Google, and they have since been removed from the Play Store and deactivated on any devices they were installed on. But the real issue is how hackers managed to sneak the malware into the apps in the first place.
Normally, the Play Store will catch and remove apps with suspicious code. In these instances, however, the malware didn’t ship in the initial download, but was instead added in an update users had to install to keep running the apps. Using this method, developers can submit their apps without tripping Google’s detection. And since the apps work as intended, it’s unlikely the users will notice anything amiss. However, there were a few telltale signs the updates in question were problematic, as they may have asked for Accessibility Services privileges or forced users to sideload additional software.
There are a few things you can do to keep your devices and data safe from similar malware apps. First, always pay attention to the permissions an app asks for—and not just the first time it’s installed, but whenever you run or update it. Delete and report the app if anything it does seems suspicious or unnecessary. There’s no reason a QR code scanner needs access to your accessibility services, for example.
Similarly, only install updates directly from the Google Play Store. If an app says it requires a sudden update but you don’t see one listed in the Play Store app, it may not be a legit patch. The same goes for random requests to sideload additional apps: The only time it’s safe to sideload apps is when you download the APK file yourself from trusted, verified sources like APK Mirror or the XDA Dev forums. And don’t forget to thoroughly vet an app before you download, even if it’s on Google Play, as hackers can fake an app’s legitimacy with misleading reviews.
While these strategies aren’t guaranteed to prevent all malware attacks, if you couple them with other cybersecurity practices like using unique passwords protected by an encrypted password manager, 2FA logins, and reliable anti-malware and antivirus apps, you’ll be much better protected from bad actors and bad apps in the future.