Did You Accidentally Download A Banking Trojan From Google’s Play Store?

Android users may have made themselves vulnerable to the malware between August and November of 2021.

Over 300,000 devices were affected due to four distinct trojans having spread via dropper apps. Cybercriminals are improving their tactics in order to bypass Google’s app security checks, and it’s working. Machine learning and automation have difficulty in detecting these issues due to hackers reducing the loader’s malicious footprint. Some ways in which criminals can bypass the system are by implementing smaller, malevolent code updates over an increased period of time. Threat actors also create similar looking command-and-control (C2C) websites that mimic the original dropper app so they’re harder to detect.

According to an analysis published by researchers from ThreatFabric, automated detection by an organization is difficult due to criminals manually activating the banking trojan installation. The four trojans distributed consist of Anatsa, Alien, ERMAC and Hydra.

The following is a list of dropper apps used to distribute the banking trojans:

• Two Factor Authenticator (com.flowdivison)
• Protection Guard (com.protectionguard.app)
• QR CreatorScanner (com.ready.qrscanner.mix)
• Master Scanner Live (com.multifuction.combine.qr)
• QR Scanner 2021 (com.qr.code.generate)
• QR Scanner (com.qr.barqr.scangen)
• PDF Document (com.xaviermuches.docscannerpro2)
• Scanner – Scan to PDF
• PDF Document Scanner (com.docscanverifier.mobile)
• PDF Document Scanner Free (com.doscanner.mobile)
• CryptoTracker (cryptolistapp.app.com.cryptotracker)
• Gym and Fitness Trainer (com.gym.trainer.jeux)

According to the experts at ThreatFabric, the Brunhilda threat actor dropped multiple samples of malware on user’s devices. They were also observed posing as a QR code creation app.

Make sure to fortify your cybersecurity practices and stay up-to-date on the current threat landscape in order to keep your data safe.