From time to time we happen to talk about Android applications containing malware discoveries in the Google Play Store by groups of researchers and that the Mountain View giant is preparing to remove to limit the damage caused to users and something similar has happened in the past few hours.

A team of Threat Fabric researchers, in fact, claims to have discovered a series of apps, downloaded from Google Play more than 300,000 times, which, while boasting a “normal” appearance, are actually banking trojans which steal user passwords and two-factor authentication codes, record password sequences and take screenshots.

New malware apps found in the Google Play Store

The apps in question, disguised as QR scanners, PDF scanners, and cryptocurrency wallets, belonged to four separate Android malware families and were distributed over four months, using several tricks to circumvent the restrictions that Google came up with in an attempt to curb the spread of fraudulent applications in the official Android store.

The method studied by the attackers to target users is to make these applications perfectly functional, so as to win their trust and push them to release positive ratings on the Google Play Store and it is through the updates of these applications that the malicious software is downloaded (the Anatsa malware ), thus installed on the device of the unsuspecting victim.

Besides Anatsa, three other families of malware have been identified, namely Alien, Hydra and Ermac.

These are some of the applications reported by the researchers, with their package name and SHA-256:

Two Factor Authenticator – com.flowdivison – a3bd136f14cc38d6647020b2632bc35f21fc643c0d3741caaf92f48df0fc6997

– com.flowdivison – a3bd136f14cc38d6647020b2632bc35f21fc643c0d3741caaf92f48df0fc6997 Protection Guard – com.protectionguard.app – d3dc4e22611ed20d700b6dd292ffddbc595c42453f18879f2ae4693a4d4d925a

– com.protectionguard.app – d3dc4e22611ed20d700b6dd292ffddbc595c42453f18879f2ae4693a4d4d925a QR CreatorScanner – com.ready.qrscanner.mix – ed537f8686824595cb3ae45f0e659437b3ae96c0a04203482d80a3e51dd915ab

– com.ready.qrscanner.mix – ed537f8686824595cb3ae45f0e659437b3ae96c0a04203482d80a3e51dd915ab Live Master Scanner – com.multifuction.combine.qr – 7aa60296b771bdf6f2b52ad62ffd2176dc66cb38b4e6d2b658496a6754650ad4

– com.multifuction.combine.qr – 7aa60296b771bdf6f2b52ad62ffd2176dc66cb38b4e6d2b658496a6754650ad4 QR Scanner 2021 – com.qr.code.generate – 2db34aa26b1ca5b3619a0cf26d166ae9e85a98babf1bc41f784389ccc6f54afb

– com.qr.code.generate – 2db34aa26b1ca5b3619a0cf26d166ae9e85a98babf1bc41f784389ccc6f54afb QR Scanner – com.qr.barqr.scangen – d4e9a95719e4b4748dba1338fdc5e4c7622b029bbcd9aac8a1caec30b5508db4

– com.qr.barqr.scangen – d4e9a95719e4b4748dba1338fdc5e4c7622b029bbcd9aac8a1caec30b5508db4 PDF Document Scanner – Scan to PDF – com.xaviermuches.docscannerpro2 – 2080061fe7f219fa0ed6e4c765a12a5bc2075d18482fa8cf27f7a090deca54c5

– com.xaviermuches.docscannerpro2 – 2080061fe7f219fa0ed6e4c765a12a5bc2075d18482fa8cf27f7a090deca54c5 PDF Document Scanner – com.docscanverifier.mobile – 974eb933d687a9dd3539b97821a6a777a8e5b4d65e1f32092d5ae30991d4b544

– com.docscanverifier.mobile – 974eb933d687a9dd3539b97821a6a777a8e5b4d65e1f32092d5ae30991d4b544 PDF Document Scanner Free – com.doscanner.mobile – 16c3123574523a3f1fb24bbe6748e957afff21bef0e05cdb3b3e601a753b8f9d

– com.doscanner.mobile – 16c3123574523a3f1fb24bbe6748e957afff21bef0e05cdb3b3e601a753b8f9d CryptoTracker – cryptolistapp.app.com.cryptotracker – 1aafe8407e52dc4a27ea800577d0eae3d389cb61af54e0d69b89639115d5273c

– cryptolistapp.app.com.cryptotracker – 1aafe8407e52dc4a27ea800577d0eae3d389cb61af54e0d69b89639115d5273c Gym and Fitness Trainer – com.gym.trainer.jeux – 30ee6f4ea71958c2b8d3c98a73408979f8179159acccc01b6fd53ccb20579b6b

– com.gym.trainer.jeux – 30ee6f4ea71958c2b8d3c98a73408979f8179159acccc01b6fd53ccb20579b6b Gym and Fitness Trainer – com.gym.trainer.jeux – b3c408eafe73cad0bb989135169a8314aae656357501683678eff9be9bcc618f

Obviously, the advice for those who have installed one or more of these applications is to remove them immediately from their device.

You can find the full article published by Threat Fabric researchers by following this link.