Malware campaigns delivering Android trojans that steal online banking credentials affected over 300,000 devices via malicious mobile apps distributed through Google’s Play Store. 

When users join online banking or cryptocurrency apps, the Android banking trojans supplied to infected smartphones attempt to steal their credentials. Credential theft is typically accomplished by displaying bogus bank login form overlays on top of actual app login screens. 

The stolen credentials are then returned to the attacker’s computers, where they are gathered and sold to other threat actors or used to steal bitcoin and money from victims’ accounts. 

IT consultants describe how they found four separate malware dropper operations delivering banking trojans on the Google Play Store in a new report. 

While threat actors penetrating the Google Play Store with Android banking trojans is not new, recent modifications to Google’s policy and increasing enforcement have caused threat actors to modify their approaches in order to avoid detection. 

This progression involves the development of tiny realistic-looking applications that focus on popular topics like fitness, bitcoin, QR codes, and PDF scanning to entice users to install the app. The threat actors then develop websites that reflect the subject of the app to assist pass Google reviews, adding extra validity to the apps. 

Furthermore, IT consultants have observed that some programs are selectively deployed in certain locations or at later times in order to avoid detection by Google and antivirus providers. 

“Google’s crackdown has forced perpetrators to investigate methods to significantly reduce the trace of dropper programs.”Google Play distribution tactics are also more polished than prior campaigns, in addition to enhanced malware coding efforts “IT, consultants describe in their latest analysis. 

“For example, by providing carefully planned minor harmful code upgrades on the Play Store over a lengthy period of time, and also displaying a dropper C2 backend to appropriately match.” should adequately fit the dropper application’s scenario (for example, a functional Fitness website for an exercise-centered app).” 

However, once installed, these “dropper” programs would discreetly interact with the threat actor’s server to receive orders. When the threat actor’s server is ready to disseminate the banking trojan, it will instruct the installed app to conduct a bogus “update” that “drops” and activates the malware on the Android device. 

During the four months of malicious activity, IT consultants discovered that the droppers were installed 300,000 times, with certain droppers deployed more than 50,000 times. 

With about 537 online sites and mobile applications targeted for credential theft. Google has subsequently deleted all of these harmful applications from the Play Store, and you should uninstall them from your Android smartphone as soon as possible if you have any of them installed. 

If you have installed any of those harmful applications, you should uninstall them immediately from your Android smartphone. 

Furthermore, because Android malware makers’ strategies are improving, users must pay closer attention to the permissions sought by applications and prevent the install if they appear unduly wide.