Android banking malware downloaded 10,000 times from Google Play: What to do

mobile banking app
(Image credit: Shutterstock)

A dangerous banking Trojan known as Cerberus has been found masquerading as a Spanish-language currency-converter app that was available to download from the Google Play Store.

According to researchers at antivirus firm Avast, the app targeted Android users in Spain and amassed more than 10,000 downloads.

Avast explained that the app “disguised itself as a genuine app in order to access the banking details of unsuspecting users.” Less common is the fact that the banking Trojan was able to make its way onto the Google Play Store in the first place.

“The ‘genuine’ app in this case, posed as a Spanish currency converter called Calculadora de Moneda," wrote Avast's Ondrej David in a blog post. "According to our research, [it] hid its malicious intentions for the first few weeks while being available on the store.” 

“This was possibly to stealthily acquire users before starting any malicious activities, which could have grabbed the attention of malware researchers or Google’s Play Protect team," David added. "As a result, the app has been downloaded more than 10,000 times so far. We reported it to Google, so they can quickly remove it.”

Stealth mode 

Avast noted how banking Trojans often function in a “stealth manner”, aiming to become trusted by the user by behaving normally for a period of time, before going on to access the user's banking details.

There are multiple stages in this process, according to Avast. The first is getting users to download the malicious app, which looks legitimate and may even offer some of the advertised functions. But eventually, it will update itself, or even install a different app onto the victim’s device, in order to steal financial details. 

David explained that the currency converter app “did not steal any data or cause any harm” at first. But it wasn’t long until the banking Trrojan kicked into action.

“Later versions of the currency converter included a ‘dropper code’ but it still wasn’t activated initially, i.e. the command and control server (C&C) instructing the app wasn’t issuing any commands and so users wouldn’t see and download the malware,” David wrote. “However in the last couple of days, Threat Labs noticed that a ‘command and control server’ issued a new command to download the additional malicious Android Application Package (APK) -- the banker.”

Fake banking page 

Avast said that, in the last stage, the banker app “can sit over an existing banking app and wait for the user to log into their bank account” by abusing Android's features for users with visual or hearing impairments.

This creates “a layover over your login screen, and steals all your access data”, and can even do things like “read your text messages and two-factor authentication details, meaning it is able to bypass all security measures”.

To stay safe from banking Trojans, Avast recommends that users only use verified and trusted banking apps, to read user reviews and ratings on the Google Play Store (and avoid third-party stores), to look at an app's permissions to see if it is requesting too many, and to download and use one of the best Android antivirus apps.

  • Read more: Stay protected on your mobile with the best Android VPN

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!