More than 300,000 downloads of malicious banking trojan apps have gone undetected on the Google Play app store, security researchers have found.
The apps were crafted to resemble commonly downloaded tools — QR code readers, document scanners, fitness monitors or cryptocurrency apps were all represented. And the apps would actually work for those tasks. They just stole their users’ sensitive information as well.
Here’s how they work and what to look out for to stay safe yourself, using tools such as password managers and anti-virus software.
The Apps Taking Your Data
Like any trojan, these password-nabbing apps passed through Android’s security protocols by keeping their malicious code dormant at first. But when users tried to start scanning QR codes, monitoring their fitness, or otherwise using the apps, the apps “needed” an update, which delivers the payload needed to activate the trojan.
Mobile security company ThreatFabric’s researchers uncovered the scheme, and they blame Google Play’s lax permissions enforcement.
“What makes these Google Play distribution campaigns very difficult to detect from an automation (sandbox) and machine learning perspective is that dropper apps all have a very small malicious footprint. This small footprint is a (direct) consequence of the permission restrictions enforced by Google Play,” the researchers wrote.
Still, the apps were tough to spot as fakes for the smartphone owners downloading them, too.
Perilous App Stores
Many people rely on the number of online reviews to determine if a product or download is safe to try out. But one particularly successful QR code scanner trojan was downloaded 50,000 times just by itself, and had plenty of positive reviews on the Google Play store. Another fitness training app has its own website, apparently just to make it seem more legitimate. Users were even funneled to the trojans with ad campaigns or phishing emails as well.
Once downloaded, some apps would steal two-factor authentication capabilities while others would use accessibility logging and a keylogger to gain access to everything shown on the user’s screen as well as all data entered into it.
Staying Safe Online
Given the quarter of a million users who have been tricked just in the latest round of scam apps, how can anyone expect to stay safe while ensuring their QR codes remain scanned?
First, don’t rely on ads or emails to find any apps, even ones that have plenty of reviews or a website. Instead, try turning to verified tech websites or recognizable app brands. And if the newly downloaded app asks to install additional software, think twice before agreeing.
Depending on the type of trojan you’re dealing with, a password manager can add some protection: If it autofills passwords, a keylogger may miss the chance to log the exact combination. You can learn more about the specific features of the top password management tools in our guide over here.
If you’re operating a small business, getting a business-level Android password manager subscription for your whole team can be the cheapest way to keep them safe while they’re browsing through the Google Play store in search of the new tool they need.
