Money-stealing apps hit 300,000 Android phones — what to do

Green skull on smartphone screen.
(Image credit: Shutterstock)

More than 300,000 Android users have installed rogue apps from the Google Play store that eventually develop into money-stealing banking Trojans through a series of incremental updates.

But not everyone who installs these apps will be infected, explained researchers at ThreatFabric in a report posted yesterday (Nov. 29). Instead, the criminals controlling these apps are often selective about their targets, restricting malware installation to users who live in certain countries or are running desired banking apps.

"[Threat] actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques," explained ThreatFabric. 

All these malicious apps have been booted out of the Google Play store, but at least some are probably still available in "off-road" app stores. You'll want to make sure that you remove them if you have any of these apps installed. 

The apps are mostly QR-code or PDF scanners, and they work as promised. They were cleared by Google Play as safe because the malware isn't added until the apps have been running on the devices for a while.

 The malware tries to steal login credentials for banking, cryptocurrency and payment apps, plus some email and general-purpose apps. Targeted countries include Australia, the U.K. and the U.S., plus many countries in Europe and Southeast Asia.

Targeted financial apps include those from Bank of America, Barclays, Binance, Capital One, Cash App, Chase, Citibank, Citizens Bank, Coinbase, Credit Suisse, HSBC, Lloyds, NatWest, PNC Bank, Royal Bank of Scotland, TD Bank, Wells Fargo and Zelle, plus dozens of others. Other targeted apps include Gmail, Google Play, Microsoft Outlook, Netflix and Yahoo Mail.

The full list of these malicious apps is here, with their screen names followed by their Android package names:

  • CryptoTracker —
  • Gym and Fitness Trainer — com.gym.trainer.jeux
  • Master Scanner Live — com.multifuction.combine.qr
  • PDF Document Scanner —
  • PDF Document Scanner Free —
  • PDF Document Scanner - Scan to PDF — com.xaviermuches.docscannerpro2
  • Protection Guard —
  • QR CreatorScanner — com.ready.qrscanner.mix
  • QR Scanner — com.qr.barqr.scangen
  • QR Scanner 2021 — com.qr.code.generate
  • Two Factor Authenticator — com.flowdivison

If you have any apps by these names installed, use the Android package name and a desktop web browser to check to see whether the app is still available in Google Play. (Many apps share names, but Android package names are unique.)

You can do this by first entering the generic Google Play app page web address, "", into the browser's address field, but don't press Enter or Return just yet.

Then copy one of the Android package names above, for example "com.qr.barqr.scangen", and paste it after the equal sign at the end of the web address above. Hit Enter or Return.

If you get a page saying, "We're sorry, the requested URL was not found on this server," as you would for "", then you'll know the app has been removed from Google Play and you can and should delete it.

If you do find that one of these specific apps was installed on your phone, you'll want to check your bank balances and change your account passwords for any banking apps you have installed, as well as Gmail, Yahoo Mail, Microsoft Outlook or Netflix.

You should also install and run one of the best Android antivirus apps, although to be fair, these rogue apps have done a pretty good job of evading antivirus programs because they seem perfectly benign at first.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.