Money-stealing apps hit 300,000 Android phones — what to do

(Image credit: Shutterstock)

More than 300,000 Android users have installed rogue apps from the Google Play store that eventually develop into money-stealing cyberbanking Trojans through a serial of incremental updates.

But non everyone who installs these apps will be infected, explained researchers at ThreatFabric in a report posted yesterday (Nov. 29). Instead, the criminals controlling these apps are often selective about their targets, restricting malware installation to users who alive in certain countries or are running desired banking apps.

"[Threat] actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques," explained ThreatFabric.

All these malicious apps have been booted out of the Google Play shop, but at least some are probably still available in "off-road" app stores. You'll want to make sure that you remove them if y'all accept any of these apps installed.

The apps are mostly QR-lawmaking or PDF scanners, and they piece of work as promised. They were cleared by Google Play as prophylactic because the malware isn't added until the apps have been running on the devices for a while.

The malware tries to steal login credentials for banking, cryptocurrency and payment apps, plus some email and general-purpose apps. Targeted countries include Australia, the U.K. and the U.S., plus many countries in Europe and Southeast Asia.

Targeted financial apps include those from Bank of America, Barclays, Binance, Majuscule One, Cash App, Chase, Citibank, Citizens Bank, Coinbase, Credit Suisse, HSBC, Lloyds, NatWest, PNC Depository financial institution, Royal Depository financial institution of Scotland, TD Bank, Wells Fargo and Zelle, plus dozens of others. Other targeted apps include Gmail, Google Play, Microsoft Outlook, Netflix and Yahoo Mail.

The full list of these malicious apps is here, with their screen names followed by their Android package names:

CryptoTracker — cryptolistapp.app.com.cryptotracker
Gym and Fitness Trainer — com.gym.trainer.jeux
Master Scanner Live — com.multifuction.combine.qr
PDF Document Scanner — com.docscanverifier.mobile
PDF Document Scanner Gratuitous — com.doscanner.mobile
PDF Certificate Scanner - Scan to PDF — com.xaviermuches.docscannerpro2
Protection Guard — com.protectionguard.app
QR CreatorScanner — com.set up.qrscanner.mix
QR Scanner — com.qr.barqr.scangen
QR Scanner 2021 — com.qr.code.generate
Ii Gene Authenticator — com.flowdivison

If y'all have whatever apps by these names installed, use the Android packet proper name and a desktop spider web browser to check to encounter whether the app is withal available in Google Play. (Many apps share names, only Android packet names are unique.)

You can practice this by first entering the generic Google Play app page spider web address, "https://play.google.com/shop/apps/details?id=", into the browser's accost field, but don't press Enter or Render just yet.

Then copy one of the Android package names above, for example "com.qr.barqr.scangen", and paste it afterward the equal sign at the finish of the spider web address above. Hit Enter or Return.

If you lot get a folio saying, "We're sad, the requested URL was not constitute on this server," equally you lot would for "https://play.google.com/store/apps/details?id=com.fix.qrscanner.mix", so yous'll know the app has been removed from Google Play and y'all can and should delete it.

If y'all exercise find that ane of these specific apps was installed on your telephone, you'll want to bank check your bank balances and change your account passwords for whatever banking apps you have installed, as well as Gmail, Yahoo Mail, Microsoft Outlook or Netflix.

You lot should as well install and run one of the all-time Android antivirus apps, although to be fair, these rogue apps take done a pretty proficient task of evading antivirus programs because they seem perfectly benign at kickoff.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry melt, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom'southward Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random Tv news spots and fifty-fifty moderated a panel discussion at the CEDIA abode-engineering conference. Yous can follow his rants on Twitter at @snd_wagenseil.