Money-stealing apps hit 300,000 Android phones — what to do

Green skull on smartphone screen.
(Image credit: Shutterstock)

More than 300,000 Android users have installed rogue apps from the Google Play store that eventually develop into money-stealing banking Trojans through a series of incremental updates.

But not everyone who installs these apps will be infected, explained researchers at ThreatFabric in a report posted yesterday (Nov. 29). Instead, the criminals controlling these apps are often selective about their targets, restricting malware installation to users who live in certain countries or are running desired banking apps.

"[Threat] actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques," explained ThreatFabric. 

All these malicious apps have been booted out of the Google Play store, but at least some are probably still available in "off-road" app stores. You'll want to make sure that you remove them if you have any of these apps installed. 

The apps are mostly QR-code or PDF scanners, and they work as promised. They were cleared by Google Play as safe because the malware isn't added until the apps have been running on the devices for a while.

 The malware tries to steal login credentials for banking, cryptocurrency and payment apps, plus some email and general-purpose apps. Targeted countries include Australia, the U.K. and the U.S., plus many countries in Europe and Southeast Asia.

Targeted financial apps include those from Bank of America, Barclays, Binance, Capital One, Cash App, Chase, Citibank, Citizens Bank, Coinbase, Credit Suisse, HSBC, Lloyds, NatWest, PNC Bank, Royal Bank of Scotland, TD Bank, Wells Fargo and Zelle, plus dozens of others. Other targeted apps include Gmail, Google Play, Microsoft Outlook, Netflix and Yahoo Mail.

The full list of these malicious apps is here, with their screen names followed by their Android package names:

  • CryptoTracker — cryptolistapp.app.com.cryptotracker
  • Gym and Fitness Trainer — com.gym.trainer.jeux
  • Master Scanner Live — com.multifuction.combine.qr
  • PDF Document Scanner — com.docscanverifier.mobile
  • PDF Document Scanner Free — com.doscanner.mobile
  • PDF Document Scanner - Scan to PDF — com.xaviermuches.docscannerpro2
  • Protection Guard — com.protectionguard.app
  • QR CreatorScanner — com.ready.qrscanner.mix
  • QR Scanner — com.qr.barqr.scangen
  • QR Scanner 2021 — com.qr.code.generate
  • Two Factor Authenticator — com.flowdivison

If you have any apps by these names installed, use the Android package name and a desktop web browser to check to see whether the app is still available in Google Play. (Many apps share names, but Android package names are unique.)

You can do this by first entering the generic Google Play app page web address, "https://play.google.com/store/apps/details?id=", into the browser's address field, but don't press Enter or Return just yet.

Then copy one of the Android package names above, for example "com.qr.barqr.scangen", and paste it after the equal sign at the end of the web address above. Hit Enter or Return.

If you get a page saying, "We're sorry, the requested URL was not found on this server," as you would for "https://play.google.com/store/apps/details?id=com.ready.qrscanner.mix", then you'll know the app has been removed from Google Play and you can and should delete it.

If you do find that one of these specific apps was installed on your phone, you'll want to check your bank balances and change your account passwords for any banking apps you have installed, as well as Gmail, Yahoo Mail, Microsoft Outlook or Netflix.

You should also install and run one of the best Android antivirus apps, although to be fair, these rogue apps have done a pretty good job of evading antivirus programs because they seem perfectly benign at first.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Green skull on smartphone screen.
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
One phone with skull and crossbones on screen among several other clean-looking phones.
Malicious iPhone apps are spreading screenshot-reading malware on the Apple App Store — how to stay safe
A hacker typing on a computer
FBI issues serious warning to iPhone and Android users — stop doing this ASAP
Latest in Online Security
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 27 (#655)
iOS 18.4 logo on an iPhone
iOS 18.4 brings a bunch of helpful upgrades to your iPhone — and this is my favorite
The Signal app logo displayed on an iPhone, with a screenshot of the Signal app in use displayed on a monitor in the background.
Signal — everything you need to know about the app at the center of the group chat scandal
Robert Downey Jr. revealed as Doctor Doom for "Avengers: Doomsday"
Marvel reveals 'Avengers: Doomsday' casting — the latest updates and every actor
Wyze Cam v3
Wyze adds AI-powered filter to its security cameras to cut down on notifications that are “no big deal”
Mark Grayson (Steven Yeun) as Invincible in his blue suit during a scene from "Invincible" season 3 on Prime Video.
'Invincible' season 4 release window just announced — here's when it's coming