Android Banking Trojan Malware Apps Were Downloaded 300K Times

Even online reviews and seemingly legit websites can't be trusted to help you sift the good apps from the malware.
Adam Rowe

More than 300,000 downloads of malicious banking trojan apps have gone undetected on the Google Play app store, security researchers have found.

The apps were crafted to resemble commonly downloaded tools — QR code readers, document scanners, fitness monitors or cryptocurrency apps were all represented. And the apps would actually work for those tasks. They just stole their users' sensitive information as well.

Here's how they work and what to look out for to stay safe yourself, using tools such as password managers and anti-virus software.

The Apps Taking Your Data

Like any trojan, these password-nabbing apps passed through Android's security protocols by keeping their malicious code dormant at first. But when users tried to start scanning QR codes, monitoring their fitness, or otherwise using the apps, the apps “needed” an update, which delivers the payload needed to activate the trojan.

Mobile security company ThreatFabric's researchers uncovered the scheme, and they blame Google Play's lax permissions enforcement.

“What makes these Google Play distribution campaigns very difficult to detect from an automation (sandbox) and machine learning perspective is that dropper apps all have a very small malicious footprint. This small footprint is a (direct) consequence of the permission restrictions enforced by Google Play,” the researchers wrote.

Still, the apps were tough to spot as fakes for the smartphone owners downloading them, too.

Perilous App Stores

Many people rely on the number of online reviews to determine if a product or download is safe to try out. But one particularly successful QR code scanner trojan was downloaded 50,000 times just by itself, and had plenty of positive reviews on the Google Play store. Another fitness training app has its own website, apparently just to make it seem more legitimate. Users were even funneled to the trojans with ad campaigns or phishing emails as well.

Once downloaded, some apps would steal two-factor authentication capabilities while others would use accessibility logging and a keylogger to gain access to everything shown on the user's screen as well as all data entered into it.

Staying Safe Online

Given the quarter of a million users who have been tricked just in the latest round of scam apps, how can anyone expect to stay safe while ensuring their QR codes remain scanned?

First, don't rely on ads or emails to find any apps, even ones that have plenty of reviews or a website. Instead, try turning to verified tech websites or recognizable app brands. And if the newly downloaded app asks to install additional software, think twice before agreeing.

Depending on the type of trojan you're dealing with, a password manager can add some protection: If it autofills passwords, a keylogger may miss the chance to log the exact combination. You can learn more about the specific features of the top password management tools in our guide over here.

If you're operating a small business, getting a business-level Android password manager subscription for your whole team can be the cheapest way to keep them safe while they're browsing through the Google Play store in search of the new tool they need.

This article was last updated on:
Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Adam is a writer at Tech.co and has worked as a tech writer, blogger and copy editor for more than a decade. He's also a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and he has an art history book on 1970s sci-fi coming out from Abrams Books in 2022. In the meantime, he's hunting own the latest news on VPNs, POS systems, and the future of tech.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals