Malicious Apps Discovered on Google Play Store Downloaded Over 300,000 Times

The apps posed as QR and PDF scanners

Some apps downloaded from the Google Play Store over the last few months were discovered stealing Android users’ bank credentials. 

According to a new report from ThreatFabric, four different threat campaigns were spread over the last four months through apps in the Google Play Store. The apps in question—posing as QR scanners, PDF scanners, and cryptocurrency wallets—were reportedly downloaded over 300,000 times and may have gained access to user passwords and two-factor authentication codes. 

Malicious actor on phone

Getty Images/xijian

The apps were reportedly able to side-step Google Play security systems by offering a regular, benign app at first but introduced malware to users who downloaded updates to the app. 

"What makes these Google Play distribution campaigns very difficult to detect from an automation (sandbox) and machine learning perspective is that dropper apps all have a very small malicious footprint," researchers from mobile security company ThreatFabric said in the report. "This small footprint is a (direct) consequence of the permission restrictions enforced by Google Play."

ThreatFabric details four different malware families responsible: Hydra, Ermac, Alien, and the largest of the four, Anatsa. The report describes Anatsa as being able to "perform classic overlay attacks in order to steal credentials, accessibility logging (capturing everything shown on the user's screen), and keylogging."

The apps in question include PDF Document Scanner Free, Free QR Code Scanner, QR CreatorScanner, and Gym and Fitness Trainer, among others. The first of these apps appeared on the Google Play store between early August 2021 and late October 2021. 

The Google Play Store seems to constantly run into malicious apps like these, and a report from 2020 confirmed that the app store is the main distributor of malicious apps. According to a report by the NortonLifelock Research Group and IMDEA Software Institute, 67 percent of malicious app installs originated from the Google Play Store. 

However, the study makes an important note that 87 percent of all app installs come from the Play Store itself, so its size and mass popularity probably contribute to it running into more problems than competitors like Apple’s App Store. 

Was this page helpful?