Detected 4 banking trojans in 11 apps on Google Play Store

Cybersecurity firm ThreatFnai discovered four different banking trojans that were distributed through the Google Play Store itself between August and November 2021. These trojans are distributed through malicious applications that impersonate harmless applications and utilities.

The four trojans in question are Anatsa (aka TeaBot), Alien, ERMAC and Hydra. They are fine-tuned to evade nearly all detection and interception campaigns of the protection system. In just about 3 months, these 4 trojans have spread to over 300,000 devices.

Detected 4 banking trojans in 11 apps on Google Play Store Picture 1

Here is a list of apps that contain banking trojans:

1. Two Factor Authenticator (com.flowdivison)
2. Protection Guard (com.protectionguard.app)
3. QR CreatorScanner (com.ready.qrscanner.mix)
4. Master Scanner Live (com.multifuction.combine.qr)
5. QR Scanner 2021 (com.qr.code.generate)
6. QR Scanner (com.qr.barqr.scangen)
7. PDF Document (com.xaviermuches.docscannerpro2)
8. Scanner - Scan to PDF
9. PDF Document Scanner (com.docscanverifier.mobile)
10. PDF Document Scanner Free (com.doscanner.mobile)
11. CryptoTracker (cryptolistapp.app.com.cryptotracker)
12. Gym and Fitness Trainer (com.gym.trainer.jeux)

Earlier this month, Google introduced limits to restrict the use of accessibility permissions to allow malicious apps to collect sensitive data from Android devices. However, the malware developers have tweaked their tactics to be able to attack even when forced to install according to the traditions, through the official app stores.

One of the most sophisticated tactics is called versioning. Initially, a clean version with standard functionality of the application will be uploaded to the app store. Then, the malicious code will be introduced gradually through updates.

If you find these applications on your phone, you should remove them immediately to avoid future damage.

Isabella Humphrey

Update 30 November 2021