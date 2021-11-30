The Android app store is a safe place, and it’s packed with malware detection and verification methods to prevent things like the one we’re talking about today from happening. However, it is impossible for Google’s security systems to hunt down all malicious applications that sooner or later end up bypassing the security systems of the Play Store.

Given the strong measures that have been implemented in recent years, hackers have opted for using covert techniques that don’t attract attention, being as stealthy as possible before “hitting us” and running away with the loot.

They detect a dozen apps with more than 300,000 installations that downloaded a banking Trojan

ThreatFabric researchers have just published a study where they report on the discovery of a series of applications that accumulated more than 300,000 downloads on Google Play, before being identified as banking malware that stole the user’s passwords, their two-step authentication codes , recorded keyboard use and took screenshots.

The apps were presented as QR scanners, PDF scanners and cryptocurrency wallets, and they belonged to 4 different malware families that were distributed over the last 4 months. The applications were initially completely benign and worked normally, but before long users received a message indicating that an update was available for the application.

Image: ThreatFabric

This is when the Trojans were downloaded, once the user already trusted the application and did not consider it a threat. For this same reason, the virus detection tools did not detect anything either, obtaining a score of 9 out of 10 on analysis platforms such as VirusTotal.

One of the viruses detected is from the family Anatsa, an advanced banking Trojan for Android systems, which, among other things, is capable of remotely controlling the user’s device and activating automatic bank transfer systems to empty the accounts of its victims.

The rest of the malware detected belonged to the virus families of Alien, Hydra and Ermac, with personalized infection systems for each device model, which made them very difficult to detect by conventional security systems.

If you have any of these apps, delete it right away from your Android

Below, we break down the names of the infectious apps. It goes without saying that if we have any of them on our device we must uninstall them as soon as possible. Some of them use generic names, so if we have any doubts it is advisable to look at the name of the package for a correct identification.

Name Package SHA-256 hash Two Factor Authenticator com.flowdivison a3bd136f14cc38d6647020b2632bc35f21fc643c0d3741caaf92f48df0fc6997 Protection Guard com.protectionguard.app d3dc4e22611ed20d700b6dd292ffddbc595c42453f18879f2ae4693a4d4d925a QR CreatorScanner com.ready.qrscanner.mix ed537f8686824595cb3ae45f0e659437b3ae96c0a04203482d80a3e51dd915ab Master Scanner Live com.multifuction.combine.qr 7aa60296b771bdf6f2b52ad62ffd2176dc66cb38b4e6d2b658496a6754650ad4 QR Scanner 2021 com.qr.code.generate 2db34aa26b1ca5b3619a0cf26d166ae9e85a98babf1bc41f784389ccc6f54afb QR Scanner com.qr.barqr.scangen d4e9a95719e4b4748dba1338fdc5e4c7622b029bbcd9aac8a1caec30b5508db4 PDF Document Scanner – Scan to PDF com.xaviermuches.docscannerpro2 2080061fe7f219fa0ed6e4c765a12a5bc2075d18482fa8cf27f7a090deca54c5 PDF Document Scanner com.docscanverifier.mobile 974eb933d687a9dd3539b97821a6a777a8e5b4d65e1f32092d5ae30991d4b544 PDF Document Scanner Free com.doscanner.mobile 16c3123574523a3f1fb24bbe6748e957afff21bef0e05cdb3b3e601a753b8f9d CryptoTracker cryptolistapp.app.com.cryptotracker 1aafe8407e52dc4a27ea800577d0eae3d389cb61af54e0d69b89639115d5273c Gym and Fitness Trainer com.gym.trainer.jeux 30ee6f4ea71958c2b8d3c98a73408979f8179159acccc01b6fd53ccb20579b6b Gym and Fitness Trainer com.gym.trainer.jeux b3c408eafe73cad0bb989135169a8314aae656357501683678eff9be9bcc618f

Today the applications have already been removed from the Play Store.