An Android banking trojan that steals passwords is hidden in regularly used applications from the Google Play Store. According to investigations, it has already infected 300,000 users.
Android Banking Trojan
According to ZDNet, more than 300,000 Android smartphone users have unintentionally installed what turned out to be banking trojan apps.
To be more specific, Threat Fabric stated four types of Android banking malware that are transmitted to devices, which are present on the regularly downloaded apps.
Most of the infected apps include document scanners, QR code readers, fitness trackers, and cryptocurrency apps.
For instance, the malware's aim is concealed, and the process of spreading it begins only after the app is installed. Through this, it allows attackers to avoid Google Play Store detection.
Moreover, this is considered as a dropper that gives limited detection from Google Play Store.
For background information, Techopedia defined a dropper as a sort of malware that is designed to drop, which means to install, malware. Since dropper viruses are concealed, harder to identify and very rare, these could go undiscovered. Droppers are a relatively new virus type that many anti-virus systems are unable to detect.
To provide further details, Threat Fabric has unveiled the four Android banking trojan malware that is present on the Google Play Store apps.
Android Banking Trojans in The Regularly Used Apps
Anatsa is the most widespread Android banking trojan attack. The said Android malware was downloaded by more than 200,000 Android users unintentionally.
Researchers characterize it as an advanced banking trojan that can steal usernames and passwords. Aside from this, it also captures anything displayed on the user's screen through accessibility logging. Moreover, keylogger enables cybercriminals to record any information entered into the device.
Anasta virus has been active since January, but it appears to be more active since June. In addition to this, researchers have found six infected apps that aimed to transmit the malware.
The said infected apps are the following.
- QR Scanner 2021
- QR Scanner
- PDF Document Scanner - Scan to PDF
- PDF Document Scanner
- PDF Document Scanner Free
"The process of infection with Anatsa looks like this: upon the start of installation from Google Play, the user is forced to update the app in order to continue using the app," Threat Fabric explained in detail.
Alien is the second most widespread of the malware families. Threat Fabric shared that infected applications in the Google Play Store has been used to install the virus 95,000 times.
This Android banking trojan can also steal two-factor authentication capabilities and has been active for over a year.
Moreover, ZDNet furthered that one of the Alien infected apps is a gym and fitness training software that comes with a supporting website intended to boost credibility, but a closer look exposes placeholder text across the site.
The website also functions as the Alien malware's command and control center.
With regards to the apps affected, it includes Master Scanner Live, Gym and Fitness Trainer, BitPay - Secure Bitcoin Wallet, BPI APP, and more
Hydra and Ermac
Hydra and Ermac, which have a combined total of approximately 15,000 installations, are the other two varieties of malware that have been spread using similar strategies in recent months.
Threat Fabric added that Hydra and Ermac have been related to Brunhilda, a cyber-criminal gang that targets Android smartphones with banking malware.
Both Hydra and Ermac allow hackers to gain access to the device