News > Internet & Security Malicious Apps Discovered on Google Play Store Downloaded Over 300,000 Times The apps posed as QR and PDF scanners By Allison Murray Allison Murray Twitter Tech News Reporter Southern Illinois University Allison reports on all things tech. She's a news junky that keeps her eye on the latest trends. Allison is a writer working out of Chicago, IL, with her only coworker: her cat Norbert. lifewire's editorial guidelines Published on November 30, 2021 12:43PM EST Fact checked by Jerri Ledford Fact checked by Jerri Ledford Western Kentucky University Gulf Coast Community College Jerri L. Ledford has been writing, editing, and fact-checking tech stories since 1994. Her work has appeared in Computerworld, PC Magazine, Information Today, and many others. lifewire's fact checking process Tweet Share Email Internet & Security Mobile Phones Internet & Security Computers & Tablets Smart Life Home Theater & Entertainment Software & Apps Social Media Streaming Gaming View More Some apps downloaded from the Google Play Store over the last few months were discovered stealing Android users’ bank credentials. According to a new report from ThreatFabric, four different threat campaigns were spread over the last four months through apps in the Google Play Store. The apps in question—posing as QR scanners, PDF scanners, and cryptocurrency wallets—were reportedly downloaded over 300,000 times and may have gained access to user passwords and two-factor authentication codes. Getty Images/xijian The apps were reportedly able to side-step Google Play security systems by offering a regular, benign app at first but introduced malware to users who downloaded updates to the app. "What makes these Google Play distribution campaigns very difficult to detect from an automation (sandbox) and machine learning perspective is that dropper apps all have a very small malicious footprint," researchers from mobile security company ThreatFabric said in the report. "This small footprint is a (direct) consequence of the permission restrictions enforced by Google Play." ThreatFabric details four different malware families responsible: Hydra, Ermac, Alien, and the largest of the four, Anatsa. The report describes Anatsa as being able to "perform classic overlay attacks in order to steal credentials, accessibility logging (capturing everything shown on the user's screen), and keylogging." The apps in question include PDF Document Scanner Free, Free QR Code Scanner, QR CreatorScanner, and Gym and Fitness Trainer, among others. The first of these apps appeared on the Google Play store between early August 2021 and late October 2021. The Google Play Store seems to constantly run into malicious apps like these, and a report from 2020 confirmed that the app store is the main distributor of malicious apps. According to a report by the NortonLifelock Research Group and IMDEA Software Institute, 67 percent of malicious app installs originated from the Google Play Store. However, the study makes an important note that 87 percent of all app installs come from the Play Store itself, so its size and mass popularity probably contribute to it running into more problems than competitors like Apple’s App Store. Was this page helpful? Thanks for letting us know! Get the Latest Tech News Delivered Every Day Email Address Sign up There was an error. Please try again. You're in! Thanks for signing up. There was an error. Please try again. Thank you for signing up! Tell us why! Other Not enough details Hard to understand Submit