Researchers say they’ve found a batch of apps on the Google Play Store downloaded more than 300,000 times before they were shown to have trojans that siphoned passwords, 2FA (two-factor authentication) codes, took screenshots, and logged keystrokes.

The apps pose as PDF scanners, cryptocurrency wallets, and QR scanners. They can be grouped into four separate Android malware families distributed over four months.

The hackers used tricks to evade Google’s security measures. The company’s measures include restricting the use of accessibility services for sight-impaired users to prevent automatic app installations without consent.

How the malware gets through

The researchers from mobile security company ThreatFabric wrote in a post saying that the Google Play campaigns are hard to detect from automation (sandbox) and the machine learning perspective because they have a very small malicious footprint.

The small footprint is caused by the permission restrictions enforced by Google Play.

The campaigns deliver a benign app at first. After it is installed, users get messages instructing them to download updates for additional features. The apps usually require updates to come from third-party sources.

By the time the users get asked to install the additional stuff, they trust the app already.

Trickery and deception

Another trick used by the apps to fly under the radar includes the hackers using manual installations of updates after checking the geographic location of the infected phone or doing incremental updates.

The attention to detail shown here makes automated malware detection less dependable, according to the ThreatFabric blog post.

The largest malware family is known as Anatsa. The banking trojan comes with various capabilities that include remote access and an automatic transfer system that empty accounts and send the contents to the malware operators. It is once again time to evolve with malware attacks because they are a step ahead.