Banking Trojans camouflaged in official stores

This is not new but increasingly frequent, banking Trojans penetrated almost 300,000 devices between August and November. The malware spread through the official Google Play store.The malicious apps posed as utility apps and tried to take full control of the infected devices. They inoculated the malwares Anatsa, ERMAC, Alien and Hydra. The most advanced malware that has been incorporated into several of these apps is called “Anatsa” and manages to extract bank details to steal money. Cybercriminals take advantage of trends to make their products more attractive where they camouflage viruses to steal personal data, for this reason, QR codes or cryptocurrency wallets are a new source to distribute computer attacks. Thousands of users have downloaded QR readers, document scanners and other tools behind which malicious codes specialized in stealing bank data were hidden. The apps in question span features as disparate as QR code readers, document scanners, to cryptocurrency wallets. Once the application is installed for a while, the update is required to be able to continue using it, this is where the virus capable of tracking the person’s passwords and intercepting the authentication codes in two steps is integrated. These banking Trojans are capable of reading and recording the keys you press on your smartphone and taking screenshots. All with the aim of knowing the personal data of their victims and taking control of credit cards and bank accounts and accessing online services. Here are the 12 Google Play apps that have been detected with malware:
Two Factor Authenticator (com.flowdivison)
Protection Guard (
QR CreatorScanner (com.ready.qrscanner.mix)
Master Scanner Live (com.multifuction.combine.qr)
QR Scanner 2021 (com.qr.code.generate)
QR Scanner (com.qr.barqr.scangen)
PDF Document Scanner – Scan to PDF (com.xaviermuches.docscannerpro2)
PDF Document Scanner (
PDF Document Scanner Free (
CryptoTracker (
Gym and Fitness Trainer (com.gym.trainer.jeux)

Once installed, these Trojans can steal user passwords, keystrokes, SMS-based two-factor authentication codes, and screenshots. They may also extract securities from users’ bank accounts without their knowledge by using automatic transfer tools. The apps were removed from the Play Store, but infected users remain at risk. Although Google has introduced limitations to restrict the use of access permissions, criminals use a more traditional way of installing apps called version control to avoid detection, clean versions of apps are loaded first, and then malicious functionalities are disguised as new app updates. Google has reinforced in recent years its security measures and usually immediately eliminates the apps that are reported, cybercriminals continue to find alternatives to avoid those controls and falsify reviews giving a greater sense of legality to their product, so the probability that there are contaminated Apps is real. This is not the only, nor the last case of that type of attack, we must pay attention to the applications that are downloaded and the origin of the updates. Those who suspect that they are still victims of this cyberattack campaign should keep an eye on their bank accounts and uninstall any suspicious applications. If an app is not used for a while it is better to uninstall it. Even so, having a good antivirus and regular backups is vital to be prepared when viruses reach the device, because if something is safe, it is that everyone is a potential victim.

Original source in Spanish

Related Posts

Add Comment