How hackers forced an Android app to steal passwords that got 300,000 downloads

Cybersecurity firm ThreatFabric is looking back on a massive campaign of malicious apps, including malware that steals passwords and other personal data.

A report from cybersecurity firm ThreatFabric revealed that more than 300,000 Android users have installed malicious apps to steal their banking information. While the malicious apps have been removed and disabled by Google, the developers have used unique methods to deploy malware to users that everyone should be aware of.

The hackers used several types of malware.

The ThreatFabric report only mentions a small number of such malicious apps, but the list includes QR code scanners, PDF scanners, exercise tracking apps, and cryptography apps. Unlike other malicious applications that falsely advertise their functionality, most of the applications we are interested in today work perfectly as stated. In fact, everything was happening in the background, the applications were stealing passwords and a lot of other important personal data.

The researchers classified apps into four main “families”according to the malware they use:

• Anatsa: The largest of the four families, with over 200,000 total downloads, used the Anatsa banking Trojan. This uses screenshots of Android accessibility features to steal usernames, passwords, and other personal data.
• Alien: The second most downloaded app family was Alien, with over 95,000 devices installed. Alien intercepts two-factor authentication codes, which are then used by hackers to enter the user’s bank account.
• Hydra and Ermak: The last two families are the Hydra and Ermak families, who are connected to the Brunnhilde cybercriminal group. The group used malware to remotely access a user’s device and obtain their banking information. The ThreatFabric report states that Hydra and Ermac have over 15,000 downloads.

How These Malware Families Could Get Through Google’s Security Measures

ThreatFabric reported these apps to Google, who promptly removed them from their Play Store and disabled them on the devices they were installed on. But the real problem remains how the hackers managed to hide the malware in the apps.

Usually, the Play Store intercepts and removes apps that contain malicious code. However, in the cases we are interested in today, the malware was not included in the initial downloads, but was added through an update that users had to install in order to continue using the applications. With this method, developers can submit their apps without triggering Google’s discovery systems. And since these applications worked flawlessly, as claimed, users could hardly suspect anything. However, there were several signs of updates,

How to protect your Android device from malware

There are a number of things you can do if you want to keep your device safe and avoid installing such malware on it. First of all, pay close attention to what permissions the app asks for – not only the first time you install it, but every time you launch or update it. Uninstall the app and report it if it asks for anything suspicious or unnecessary. For example, there is no reason why a QR code scanning app should access your accessibility services.

Similarly, only install updates from the Google Play Store directly. If an app says it needs a flash update but it’s not available in the Play Store, the update may be illegal. The same goes for requests to download anything outside of the Play Store. It is only safe to download and install an app this way when you yourself download the APK file from a trusted source such as APK Mirror or the XDA Dev forum. And don’t forget to check the app before downloading it, even if it’s on Google Play, as hackers can undermine the app’s legitimacy with fake comments.

While these various habits may not completely protect you from potential malware, if combined with other cybersecurity practices such as one-time passwords, a secure encrypted password manager, two-factor authentication, and apps. Safe anti-malware and anti-virus, you will be well protected from hackers and their malicious applications.