If you use an Android phone, you need to be more careful about downloading just any app. Researchers have discovered that over 300,000 users downloaded what turned out to be banking trojan malware after it managed to bypass the Google Play Store’s security. Several commonly downloaded apps are a front for four different forms of malware, one of which can capture users’ bank account and password details and send the information to hackers.

Researchers at ThreatFabric found that common apps such as QR code readers, document scanners, fitness monitors, and cryptocurrency trading platforms are not always genuine. Hackers have managed to make harmful versions of these apps that look just as benign as genuine ones. And just so users do not suspect anything, these apps would advertise what they do in the most appealing way possible. Convinced by these advertisements, users fall prey to hackers after downloading these apps.

Some of these apps are:

Two Factor Authenticator
Protection Guard
QR CreatorScanner
Master Scanner Live
QR Scanner 2021
PDF Document Scanner – Scan to PDF
PDF Document Scanner
QR Scanner
CryptoTracker
Gym and Fitness Trainer

Hackers are using four different forms of malware to steal the personal information of users, per the researchers. Each malware remains inactive unless the app carrying it is installed on the app. Right after the installation is complete, the first thing the malware does is bypass the security detections of the Google Play Store. Doing that ensures the app and the malware will carry out their tasks unchecked on the phone.

The most common malware of the four is called Anatsa, which the researchers said has been downloaded by more than 200,000 Android users. It is dubbed as an “advanced” banking trojan because it can steal usernames, passwords of the user’s internet banking services. Not only does it that, but Anatsa can also enable accessibility logging on the phone, so everything that is happening on the phone’s screen is captured. Hackers have also installed a keylogger into the Trojan to record all information that the user enters on the phone, such as passwords.

Anatsa, which has been active since January, has found its way into benign apps such as QR code scanners and PDF document scanners that people mostly download. Some instances have also been found in some cryptocurrency apps since the growing popularity of cryptocurrencies. Android users are directed to these apps through phishing emails. The apps look convincing, thanks to several positive reviews on the download page, which is why users get tricked into downloading them.

The other three forms of malware that researchers managed to find are Alien, Hydra, and Ermac. While Alien can steal important information even from a two-factor authentication process, the other two give attackers access to users’ banking information through advanced tools embedded into them. All these malware forms stay dormant unless users download the apps acting as conduits.

ThreatFabric claims it informed Google about the malicious apps. Some of them have already been removed, while some are under review. The researchers have listed all the apps infected by the four malware forms on its blog post, along with their targets, which include banking apps such as YONO Lite by State Bank of India and PayPal.