Android Malware Apps Get Extra Crafty and Net Over 300,000 Installs

Trojan dropper apps have flown under the radar on Google Play in recent months, netting over 300,000 downloads and stealthily installing malware that scoops up people's banking details.

As mobile security firm ThreatFabric reveals, "in the span of only four months, four large Android families [Anatsa, Alien, Hydra, and Ermac] were spread via Google Play, resulting in 300,000+ infections via multiple dropper apps."

The dropper apps disguised themselves as simple utilities, such as PDF and QR code scanners, as well as fitness apps. The Android apps looked legitimate, with many installations and positive reviews, and worked as promised, giving users little reason to suspect something was amiss.

Part of the trick here is that the apps don’t appear to have any malicious code at first. But, as ThreatFabric found, the apps “modified their behavior in later versions, adding the dropping functionality, and a wider set of permissions required.” At this point, users may trust the app and believe the update is necessary to continue using it. In the case of one fitness app, the app disguises the malicious download as a package of extra workouts the user could install.

Fitness app requests permissions to stealthily download malware

The lure in action

The apps further avoid detection by being selective about which devices and regions they’ll attack and when. This can ensure the dropper app doesn’t attempt to install the malware while the app is undergoing its initial evaluation process for Google Play, and it can avoid installation in testing environments and emulators where it might be detected.

Once on the device, the malware can skim bank details through keystroke logging, take screenshots, and request access to Accessibility Service so the malware “has full control over the device and can perform actions on the victim’s behalf,” TheatFabric explains.

Though these sophisticated tactics make it harder to identify suspicious apps, it's still a good rule of thumb to avoid apps from unknown brands and be aware of the permissions you grant these apps. Even just file storage access can be enough to do some damage.

In response, Google is pointing to an April blog post that outlines the steps it's taken to secure its app store, including a continued reduction in developer access to sensitive permissions, Ars Technica reports. The apps in question have been removed or are being reviewed, ZDNet says.

About Our Expert

Mark Knapp

Contributing Writer

My Experience

I've covered the technology field for a decade, beginning a freelance career in 2017 and working with numerous publications, including PCMag since 2021. I have reviewed hundreds of products with a particular emphasis on computers and the broad field of peripherals, especially audio gear. At PCMag, I contribute audio device reviews of products like headphones and speakers, in addition to reviews of Windows laptops.

The Tech I Use

As a voracious reviewer, I'm cycling through different hardware at almost every corner of my life. My desk sees new speakers, monitors, keyboards, mice, computers, and laptops come across non-stop. I stick with Windows systems, as I have since I was a child, and can't get away from the familiarity with its organization and the many keyboard shortcuts that are now down to muscle-memory and all too essential to my workflows. On mobile, I've stuck with Android for its flexibility, though which phone is in my hand on any given day is a constant question.

I keep an old pair of Monolith M570 open-back planar magnetic headphones around for focused listening and earbuds in my pocket to listen to podcasts on walks and bike rides. I keep a Logitech Wave Keys keyboard on my desk to enjoy its comfort and ergonomics as I type out thousands of words every week. Underneath my desk is a Lian Li 011 Air Mini case holding an ever-changing PC geared for testing speakers, monitors, gaming peripherals, and whatever else might come across my desk.

Read the latest from Mark Knapp

Read full bio