Security researchers discovered a dangerous banking malware that attacked more than 300,000 Android users. This malware is secretly spreading through 12 applications on the Google Play Store.
According to a report by cyber security company ThreatFabric, four types of malware were found, namely Anatsa, Alien, Hydra, and Ermac. This malware infects users through applications that offer features such as document scanners, QR code readers, and health apps.
Once infiltrated the phone, this malware can steal passwords and two-factor authentication (2FA) codes for mobile banking and payment applications, record keystrokes, and take screenshots.
The creators of this malware used several tricks to evade Google's detection. When a user installs an infected app for the first time, they will see a normal app that works as intended.
Once users have trusted them, the app prompts them to install updates from third-party sources. Most of these apps go undetected by VirusTotal's malware checker.
Malware operators also have other ways of evading detection. In most of the cases, they will only install malicious updates after checking the geographic location of an infected phone or installing updates incrementally.
"This extraordinary focus dedicated to avoiding unwanted attention makes automated malware detection difficult to rely on," ThreatFabric said in its report, as quoted by ArsTechnica, Thursday (2/12/2021).
"These considerations are confirmed by VirusTotal's extremely low overall score of the 9 droppers we have investigated in this blogpost."
Of the four malware, the most dangerous type is Anatsa, which has infiltrated more than 200,000 Android users. This malware is quite sophisticated and has capabilities such as remote access and an automatic transfer system (ATS), which can empty the victim's bank account and send the contents to the malware operator.
One application that carries the Anatsa malware is a QR code scanner application that has been installed by more than 50,000 users. The following is a list of 12 malicious applications that have been identified by ThreatFabric along with their package codes:
Two Factor Authenticator - com.flowdivison
Protection Guard - com.protectionguard.app
QR CreatorScanner - com.ready.qrscanner.mix
Master Scanner Live - com.multifuction.combine.qr
QR Scanner 2021 - com.qr.code.generate
QR Scanner - com.qr.barqr.scangen
PDF Document Scanner - Scan to PDF - com.xaviermuches.docscannerpro2
PDF Document Scanner - com.docscanverifier.mobile
PDF Document Scanner Free - com.doscanner.mobile
CryptoTracker - cryptolistapp.app.com.cryptotracker
Gym and Fitness Trainer - com.gym.trainer.jeux
Gym and Fitness Trainer - com.gym.trainer.jeux
ThreatFabric has reported its findings to Google, and some of these apps have been removed or are still under review. If you install any of the applications above, it should be removed from your phone immediately.
There are several ways you can do to avoid malicious applications that spread on the Google Play Store. First, always read reviews and comments from users.
As much as possible avoid applications whose names and developers are unknown and the number of users is still small. Also, be careful when prompted by apps to download updates from third-party sources.
