The Android operating system is used on more than 85 percent of smartphones throughout the world. This makes the operating system a prime target for hackers and cybercriminals. Unlike Apple’s iOS, Android OS is an open source operating system that lets users to install third-party apps.
Though Google actively cautions and discourages users from doing so. Even while Google strongly advises users to only download apps from the Google Play Store, certain malware apps nevertheless find a way to reside there.
According to security analysts, two Android banking Trojans have been discovered in the Google Play Store.
The first malicious software was downloaded over 50,000 times before being removed from Google Play last week, while the second app, QR Code & Barcode – Scanner, is still on Google Play at the time of this writing and is focused at American users.
According to a study released last week by security company ThreatFabric, the first software, named Fast Cleaner, attempts to “speed up the device by deleting unnecessary trash and removing battery optimization bottlenecks.”
Fast Cleaner does what it says it will, but it also includes a dropper, which is malware that is meant to install additional applications on a phone without the user’s awareness. Fast Cleaner’s main payload, according to ThreatFabric’s study, was a new sort of banking Trojan termed “Xenomorph” after the Alien movie series’ ravenous protagonist.
Xenomorph deceives users into filling in usernames and passwords, gathers data from infected devices, and reads users’ text conversations via screen overlays. It can use these abilities to steal login information for bank and webmail accounts. It can also collect and remove the two-factor authentication temporary PINs, as well as other alerts sent to your phone.
When ThreatFabric examined Xenomorph’s code, it discovered that it could create convincing fake interfaces that looked like over 60 distinct bank apps from Belgium, Italy, Portugal, and Spain. It might also impersonate (and steal) the Gmail, Google Play, Hotmail, Mail.com, Microsoft Outlook, PayPal, and Yahoo Mail applications.
Unwelcome reappearance – TeaBot Banking Malware
According to Italian security firm Cleafy, the other Android banking Trojan, TeaBot, is more well-known and made a comeback to Google Play last month after being booted out earlier.
TeaBot can collect not just bank account, webmail, and social media login credentials, but also two-factor authentication tokens that prevent bad guys from getting in with stolen passwords.
Despite Cleafy’s warning, the virus is still available on Google Play as an app named “QR Code & Barcode – Scanner,” albeit there are numerous more apps with similar names and features. It’s been downloaded over 10,000 times and comes with a number of user ratings, with half of them giving the app five stars.
QR Code & Barcode – Scanner, like Fast Cleaner, is a dropper that avoids Google Play’s screening processes by not doing anything bad after installation – at least for a time.
However, according to Cleafy, it eventually asks for permission to install a “add-on” that needs the user to enable downloading software from an unknown source – in this case, the TeaBot banking Malware.
That was a bad decision! The evil guys grab you by tricking you into permitting unknown sources. Furthermore, once installed, the malicious “add-on” exploits Android’s accessibility settings (designed for blind or deaf users) to take control of the phone’s screen, interact with other applications, and intercept text messages.
TeaBot, like Xenomorph, may collect not just login credentials for bank accounts, webmail, social media, and other sensitive accounts, but also two-factor authentication tokens that are texted or created to prevent bad guys from getting in with stolen passwords.
When TeaBot initially debuted in mid-2021, it targeted banks in Spain, Germany, and Italy, according to Cleafy, but the virus has since stretched its wings and is now focusing on the United States.
How to recognize, avoid, and uninstall Malware Android apps
Naturally, you should avoid downloading any of these dangerous programs from Google Play or a “off-the-beaten-path” Android app store. If they’re already installed on your devices, you’ll want to uninstall them.
Although Android applications often have similar or identical names, they cannot share their unique package name, which is how Android and Google Play distinguish them.
“com.scanner.buratoscanner” is the package name for QR Code & Barcode – Scanner. “com.census.turkey,” “com.laundry.vessel,” “com.tip.equip,” and “com.spike.old” are the four package names used by Fast Cleaner.
The package name appears in the URL of each app’s listing page in the Google Play store, such as “https://play.google.com/store/apps/details?id=com.scanner.buratoscanner.”
Many other Android app marketplaces follow similar patterns, so stay away from apps that include any of those five package names in their URLs.
It’s a lot of a technique to figure out the package name of Android apps that are already installed on your phone. On your phone, open the Play Store app, tap your avatar in the top right corner, hit “Manage applications & device,” and then tap “Manage.”
A list of all installed programs will appear. Press any of them to open the Google Play page for that app, then tap the three vertical dots in the top right and select “Share.”
A menu with a URL beginning “https://play.google.com/store/apps/” will glide up from the bottom of the screen, which should be partially visible. To copy the URL to the Clipboard, tap the symbol that looks like two nested squares to the right of the URL.
Now copy and paste the URL into any text file, such as a note, a Word or Google doc, or an email message. The whole URL of the app’s Google Play Store page should be visible, and the app’s package name should be at the end of the URL.
You should remove any software that shares the same package name as one of the five dangerous apps described above. That’s something you can accomplish directly from the Google Play app.
It helps to have one of the best Android anti-virus applications installed to protect against infection from malicious apps. Google offers one built-in called Google Play Protect, but it’s clearly ineffective.