Android Banking Trojans Infect Over 300,000 Play Store Users

More apps have been infected by trojans. According to a new report, over 300,000 Play Store users have been infected with Android banking trojans. Those trojans found their way in a number of Android apps.

A bunch of apps have been infected by Android banking trojans

This information comes from ThreatFabric, a mobile security company. The malicious code was spotted inside regular, functioning apps, that masked themselves as QR code scanners, PDF scanners, fitness apps, and so on. The usual, we’d say.

They worked just fine for what they’re intended, but they contained a special module called “loader”. Loaders are tiny pieces of malware that are really well hidden inside apps. They’re able to connect to a remote server and download and run additional code.

Considering how tiny this module is, it can bypass security checks, which explains how it made it to the Play Store. Loaders have been around for a long time, actually, they’ve been around since the late 2000s.

Loaders found their way to the mobile market in 2017, after Google boosted the Play Store’s security scans. Loaders surfaced as an ideal way to bypass those scans.

Many of these apps get submitted without malicious code, pass through scanning, and then such code gets added via an update, or more of them. Pieces of a loader can be added via a number of updates.

Once the entire loader is there, the app will ask the user for extra permissions. That’s why you should always think before you grant permissions to an app. Think about what permissions that app really needs.

Four different banking trojans have been spotted

ThreatFabric reports that it has seen four different Android banking trojans that use updated delivery tactics. Those trojans include Anatsa, Ermac, Hydra, and Alien.

Once the loaders install any of these four trojans, they can steal credentials for social media, instant messaging, mobile banking, cryptocurrency, and more. Some of them can even bypass SMS-based two-factor authentication.

Now, the infected apps are shown in an image below, along with the package name for each of them. All of them have been removed from the Play Store, but if you have them installed on your phone, make sure to remove them.