Android banking malware has already reached over 300,000 people

A large-scale banking malware campaign has already reached over 300,000 Android OS users from apps available on the Google Play Store. Pests arrive disguised as common applications and focus on stealing financial credentials, using tactics that help to hide the fraud.

  • How to diagnose if your mobile device is infected with malware
  • What is Vultur malware and how to remove it?

According to the alert issued by ThreatFabric, there are four pest families in action, one of which, alone, has already accumulated more than 200 thousand downloads since. Dubbed Anatsa, the malware uses Android's accessibility services to stealthily record keystrokes and screenshots; the method also avoids the permission requests that are often detected by security platforms and more aware users.

Through a QR code reader alone, criminals were able to obtain more than 50,000 installations of the pest — Anatsa is also the family with the highest number of infections, with 200,000 download records from six malicious apps, which they also include document scanners and cryptocurrency quote tracking apps. According to researchers, the malware was initially discovered in January of this year, but its activity gained momentum in June.


Feedly: Subscribe to our RSS feed and don't miss any Canaltech content in your favorite news aggregator.

Some of the malicious apps used to deliver malware through the Google Play Store; accessibility features were used to evade detection (Image: Disclosure/ThreatFabric)

Alien, the second-largest family to take part in the campaign, also appears to be the most sophisticated, being able to steal not only banking credentials but also two-factor authentication codes. Here, there were more than 95,000 installations, with an exercise monitoring app being the most popular and sophisticated, with the right to a website that helps give a greater appearance of legitimacy and also serves as a command server for the plague.

The Hydra and Ermac strains complete the campaign's family tree, accumulating a sum of more than 15,000 downloads. In this case, ThreatFabric links the threat development to a cybercriminal gang known as Brunhilda, which has also been attacking Android OS users since late last year.

Escaping detection

All pests work similarly, using the platform's accessibility systems to take screenshots, typed content and other information. Thus, they are also able to evade security software and even the distrust of the users themselves, as they do not need to request advanced permissions, often beyond the capabilities promised by the apps.

Once installed, the malware starts to communicate with control servers, sending device information, as well as the Android version and user geolocation data, which also allows specific regions to be targeted. The malicious exploit itself comes in the form of an update to the apps, with the promise of new features or information.

Brazil is not on the list of countries most affected by the campaign, but organizations operating here are among those targeted by malicious applications (Image: Divulgação/ThreatFabric)

The collected data is sent back to the criminals' infrastructure, who now have access to the victims' financial data. According to the alert, the first versions of the apps available on the Play Store did not have this malicious feature, while all effectively deliver the promised features, which helped to create a face of credibility before the launch of the scams.

The following applications were used by criminals to deliver malware. All have already been taken down by Google:

  • QR Scanner 2022;
  • QR CreatorScanner;
  • Master Scanner Live;
  • GymDrop;
  • Gym and Fitness Trainer;
  • PDF Document Scanner;
  • CryptoTracker;
  • Protection Guard;
  • PDF AI: Text Recognizer;
  • Flow Division.

According to experts, the main targets of attackers are the countries of Europe, the United States and Australia; the scams involving Hydra and Ermac also hit users in Asia and Latin America. Brazil does not appear on the list released by ThreatFabric, but the list of institutions and services targeted by the scammers include organizations operating in Brazil, such as Santander, Mercado Livre , Grupo Cajamar and Itaú, as well as services such as Gmail, Yahoo , Netflix and AliExpress.

Read the article on Canaltech .

Trending at Canaltech:

  • Photo shows Saturn and its rings seen by NASA spacecraft orbiting the Moon
  • Internal Revenue Auction has lots with iPhone 12 and GoPro HERO4
  • Discover the 3-wheel electric car that will be the cheapest in Brazil
  • New Covid Vaccine Triggers Strong Immune Response in Phase I Trials
  • Tesla Model 3 catches fire during charging and turns on warning signal in US

13 thoughts on “Android banking malware has already reached over 300,000 people

  1. I used to be very happy to search out this internet-site.I wanted to thanks on your time for this excellent learn!! I definitely enjoying every little bit of it and I’ve you bookmarked to check out new stuff you weblog post.

  2. This is great! I’m happy I found your post as it’s better than similar posts I’ve seen from most people about this subject. May I ask you to write more about this? Could you write another example? Thank you!

  3. Thanks for the good writeup. It if truth be told used to be a entertainment account it.Look complex to more delivered agreeable from you!By the way, how can we communicate?

  4. Thanks , I have recently been looking for information approximately this subject for along time and yours is the best I have found out till now.However, what in regards to the conclusion? Are you certain about the source?

Leave a Reply

Your email address will not be published.