Warning: Over 300,000 Android users have downloaded banking trojan malware apps

The password-stealing trojans were disguised as QR code readers, fitness monitors, cryptocurrency apps and more.

Android malware app

Cybersecurity researchers at ThreatFabric have identified a few Android trojans that steal passwords by pretending to be QR code readers, fitness monitors, cryptocurrency apps and more.

The damage is apparently pretty as more than 300,000 Android users have downloaded what turned out to be banking trojans after falling victim to malware that has bypassed detection by the Google Play app store.

According to cybersecurity researchers at ThreatFabric, the four different forms of malware are delivered to victims via malicious versions of commonly downloaded apps — which often come with the functions that are advertised in order to avoid users getting suspicious.

In each case, the malicious intent of the app is hidden and the process of delivering the malware only begins once the app has been installed, enabling them to bypass Play Store detections.


The most damaging of all the apps is Anatsa, which has been installed by more than 200,000 users, and which can steal usernames and passwords. To make that possible, the malware uses accessibility logging to capture everything shown on the user’s screen, while a keylogger allows attackers to record all information entered into the phone.

Anasta has been active since January, but has received a substantial push in June. In total, researchers were able to identify six different malicious apps designed to deliver the malware, including those posing as QR code scanners, PDF scanners and cryptocurrency apps.

The QR code scanner app alone has been installed by 50,000 users. What’s interesting is that the download page for this app featured many positive reviews, something that can encourage people to download the app.

The trick is in the app update which is shown to the users after the initial download. It is here where the malicious part of the app kicks in, providing attackers with the means to steal banking details and other information.


Alien is the second most prolific of the malware families detailed by ThreatFabric. It’s an Android banking trojan that can also steal two-factor authentication capabilities. It’s been active for over a year, during which it received 95,000 installations.

One of the ways Alien gets on the user’s device is through a legitimate-looking gym and fitness training app. It even has its own website, though the close inspection of it reveals placeholder text instead of the actual content.

Like that’s the case with Anasta, the initial download of the app doesn’t contain malware which is delivered through a fake update. This time round, that update comes disguised as a package of new fitness regimes.

Hydra and Ermac

These two forms of malware have a combined total of at least 15,000 downloads, and both are designed to provide attackers with access to the device required to steal banking information.

According to ThreatFabric, Hydra and Ermac are linked to Brunhilda, a cyber-criminal group known to target Android devices with banking malware.

On the record

“The Android banking malware echo-system is evolving rapidly. These numbers that we are observing now are the result of a slow but inevitable shift of focus from criminals towards the mobile landscape. With this in mind, the Google Play Store is the most attractive platform to use to serve malware,” Dario Durando, mobile malware specialist at ThreatFabric, told ZDNet.

“A good rule of thumb is to always check updates and always be very careful before granting accessibility services privileges — which will be requested by the malicious payload, after the “update” installation — and be wary of applications that ask to install additional software,” said Durando.

Staying safe

ThreatFabric has reported all of the malicious apps to Google and a Google spokesperson confirmed to ZDNet that the apps named in the report have been removed from the Play Store.

Nevertheless, this won’t stop cybercriminals and has just slowed them down. So before downloading any app, think it through – do you really need it and does it come from a reputable source. Common sense is your ultimate weapon against this kind of malware.