Google Passes Applications Containing Malware On Play Store, 300,000 Users Become Victims!

The malicious malware has successfully passed detection by the Google Play app store. (photo: Azamat E/Unsplash)

JAKARTA - Google again makes a commotion for Android users. The reason is, more than 300,000 users have downloaded an application that turns out to contain a banking trojan in it.

Cybersecurity researchers at ThreatFabric managed to find four different pieces of malware, delivered to victims via malicious versions of commonly downloaded apps, including document scanners, QR code readers, fitness monitors, and cryptocurrency apps.

These apps often come with advertised functions to evade user suspicion, and oddly enough they all manage to pass detection by the Google Play app store.

One of the four malware families is Anatsa, which has been installed by more than 200,000 Android users. Researchers describe it as a sophisticated banking trojan that can steal usernames, passwords and use accessibility logging to capture everything that is displayed on a user's screen. While the keylogger allows the attacker to record all the information entered into the phone

Citing ZDNet, the Anatsa malware is active since January. The researchers were able to identify six different malicious apps designed to deliver malware. One of these applications is a QR code scanner, which has been installed by 50,000 users, and the download page displays a large number of positive reviews, of course, this can encourage people to download the application.

Users are redirected to the app via phishing emails or malicious advertising campaigns. After downloading, the user is forced to update the application, it is from this update that connects to the command, control server and downloads the Anatsa payload to the device, giving attackers a platform to steal banking details and other information.

Anatsa Is Not The Only Malware

The second most dangerous malware detailed by the researchers is Alien, an Android banking trojan that can also steal two-factor authentication capabilities and which has been active for over a year. This malware has received 95,000 downloads via malicious apps on the Play Store.

One of them is a gym and fitness training app that comes with a support website, designed to make users believe. This website also serves as a command and control center for Alien malware.

Like Anatsa, the initial download does not contain malware, but users are prompted to install fake updates to disguise themselves as new fitness packages that distribute malware payloads.

Two other forms of malware that have used similar methods in recent months are Hydra and Ermac, which have a combined total of at least 15,000 downloads.

Both malware are claimed to belong to Brunhilda, a cybercriminal group known to target Android devices with banking malware. Both Hydra and Ermac give attackers access to the tools needed to steal banking information.

ThreatFabric has reported all malicious apps to Google and they have been removed or are under review. Cybercriminals will continue to try to find ways to bypass the protection of sending malware via mobile phones, which is becoming increasingly attractive to cybercriminals.