These Android apps can steal your banking info by recording your screen — delete them now

A person trying to login into their bank account using their phone
(Image credit: Shutterstock)

Five malicious Android apps that appear innocent-looking at first glance have been discovered on the Google Play Store and are being used to steal banking information from unsuspecting users.

According to a report from ThreatFabric (opens in new tab), these malicious apps pose as finance trackers and other utilities like file managers to trick potential victims into downloading them in the first place. However, this appears to be working as the five malicious apps discovered by the firm’s researchers have been downloaded over 100,000 times combined.

Even though Google scans apps submitted to the Play Store for malware and other viruses, the apps in question were able to slip past its defenses as they don’t actually contain any malicious code. Instead, these apps are known as malware droppers since they download their malicious payloads onto one of the best Android phones after being installed.   

In ThreatFabric’s report, the fraud detection firm says that there has been an uptick recently in the use of malware droppers by cybercriminals as they offer an easier way to infect vulnerable devices with a much lower chance of being discovered.

Remove these apps from your devices immediately

If you have any of the apps listed below installed on your Android smartphone or tablet, you will need to manually delete them immediately. However, it’s also worth taking a look at Threat Fabric’s research, as the firm has also included a list at the end of its blog post with all the banking apps and crypto wallets targeted by the malware these droppers leave on an infected device.

  • Codice Fiscale 2022 - 10,000 downloads
  • File Manager Small, Lite - 1,000 downloads
  • Recover Audio, Images & Videos – 100,000 downloads
  • Zetter Authentication – 10,000 downloads
  • My Finances Tracker – 1,000 downloads

Using malware droppers to spread banking trojans

Android malware on phone

(Image credit: Shutterstock)

The app ‘Codice Fiscale 2022’ targets Italian users looking to calculate tax payments but once installed on a user’s device, it drops the SharkBot banking trojan. Likewise, the app ‘File Manager, Small, Lite’ also drops this same Android malware.

SharkBot has been growing in popularity over the past few months and it is used by cybercriminals to steal banking and other credentials from victims by displaying fake overlays when they try to login. According to ThreatFabric, this banking trojan is capable of stealing usernames and passwords from Barclays, Citi, Capital One, Wells Fargo, PayPal and other banking apps but it can also intercept 2FA codes sent via text, perform keylogging and remotely take over an infected device.

Both of the apps in question infect user devices with SharkBot by prompting them to install a fake update which is hosted on a site designed to look like the Play Store. While examining the URL would show the update is fake, newer versions of Android warn users when an app requests to use the “REQUEST_INSTALL_PACKAGES” permission according to BleepingComputer.

The apps ‘Recover Audio, Images & Videos,’ ‘Zetter Authentication,’ and ‘My Finances Tracker’ work in a similar way but drop the Vultur malware instead of SharkBot. However, like the former, Vultur can remotely stream the contents of your smartphone’s screen and perform keylogging on your device. All of this data is sent back to the cybercriminals responsible and is then used to commit fraud.

These three malicious apps also display a request to install a fake update disguised as a Play Store notice after being loaded onto a victim’s phone. If a user installs this fake update, their smartphone is then infected with the Vultur malware.

In this campaign though, ThreatFabric’s researchers spotted a new Vultur variant that can also perform UI logging and record clicks, gestures and every other action a victim takes on their smartphone. When it comes to banking apps and crypto wallets, this malware targets crypto.com, Amex, Barclays, Coinbase, eToro, Robinhood, Cash App and many other popular financial services.

How to stay safe from banking trojans and other malware

A hand holding a phone securely logging in

(Image credit: Google)

When it comes to staying safe from malicious apps, your best bet is to avoid sideloading apps entirely and only downloading new apps from official stores like the Play Store, Amazon App Store or the Samsung Galaxy App Store. While this won’t work in this case, it’s a good general rule of thumb to avoid having your smartphone infected with malware.

As such, you need to be extra careful when installing apps onto your Android smartphone or tablet. Before installing any new app, you first need to consider whether or not you really need it. From there, you should read the reviews and check the app’s rating on the Play Store but looking at external reviews (preferably video reviews) is a good idea as well since cybercriminals often use fake reviews to make their bad apps seem more appealing.

Thankfully, malware droppers - like the five malicious apps described above – often require you to install an update after putting them on your phone. If an app tries to do this and the update isn’t being delivered by Google through the Play Store, this is a major red flag and you should delete the app in question immediately.

As for staying safe from malware, you'll want to ensure that Google Play Protect is enabled on your Android devices since it automatically scans for malware in the background. For additional protection though, you'll also want to install one of the best Android antivirus apps on your smartphone or tablet. 

Google’s engineers work tirelessly to rid the Play Store of malicious apps. However, since they don’t contain any malicious code, malware droppers are more likely to bypass the search giant’s security measures, which is why you always need to watch out when installing any new app on your Android devices.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.