Android QR, PDF scanners Apps that may steal user banking credentials

Mobile security company ThreatFabric discovered apps on Google's Play Store for Android that managed to deceive people into downloading them more than 300,000 times. These apps posed as QR or PDF scanners, some even disguised themselves as cryptocurrency wallets but in actuality, their true identity was that of a banking trojan.

These apps when downloaded stole user credential information like banking passwords or two-factor authentication codes. They even logged keystrokes and took screenshots of the victim's device.

Google has imposed several restrictions to apps on the Play Store, designed to curtail the spread of such apps. These include steps such as prevention of automatic installation of apps without a user's consent.

Threat actors have managed to find ways to sidestep Google's measures, including a method to manually activate the installation of trojan's on a victim's device, making it harder for auto detection algorithms.

Commonly known as dropper apps (disguised malware), they have figured out new ways to disguise themselves to avoid Google's detection, going so far as to have fully working backends for services they are pretending to be. For example - A malware fitness app with a fitness services backend to hide itself better.

"What makes these Google Play distribution campaigns very difficult to detect from an automation (sandbox) and machine learning perspective is that dropper apps all have a very small malicious footprint," the team at ThreatFabric writes in a blog post.

In some cases, the team found that the malicious code drops were delivered through carefully planned updates via the Google Play Store to throw off auto-detection.