Google has booted eight malicious Android apps from the Play Store that were designed to steal money from online financial accounts and take over smartphones, according to a new report from Israeli security firm Check Point.
The apps, listed below, snuck into Google Play through the front door. They didn't seem malicious when Google's malicious-app screening process evaluated them, Check Point said, because the apps' creators made sure the apps communicated only with Google's own Firebase cloud back-end servers, which are often used by smartphone apps.
- Study: Two-thirds of Android malware comes through Google Play
- The best Android antivirus apps to keep your phone clean
- Plus: Google Pixels can now read your heart rate and breathing
But once the apps were installed by users, Check Point said, they switched to communicating with GitHub, a code-sharing platform owned by Microsoft upon which anyone can post software and other items.
Each app contained a hidden "dropper" designed to install more software, and those droppers downloaded the AlienBot banking Trojan from individual GitHub pages dedicated to each app. (Independent researchers at MalwareHunterTeam also posted about this on Twitter in late January.)
Check Point described AlienBot as "second-stage malware that targets financial applications by bypassing two-factor authentication codes for financial services."
In other words, AlienBot — once installed — steals your online banking password and gets around the two-factor authentication (2FA) methods meant to protect against the use of stolen passwords.
Even worse, said Check Point, AlienBot often installs the Android version of TeamViewer, a legitimate app that enables remote control of a smartphone (or a computer) from afar.
With TeamViewer installed, the bogus apps' creator(s) could have logged into victims' bank accounts at any time.
"The hacker was able to leverage readily available resources to bypass Google Play Store's protections," said Check Point researcher Aviran Hazum. "The victims thought they were downloading an innocuous utility app from the official Android market, but what they were really getting was a dangerous Trojan coming straight for their financial accounts."
Check Point said it notified Google about these malicious apps on Jan. 28, and Google confirmed on Feb. 9 that all had been removed from Google Play.
How to remove malicious apps from your phone
Many people may still have these apps installed on their devices. Here's a chart showing the name of each app along with their unique Android application IDs, which are important because Android apps often share identical or very similar names.
| App name | Application ID |
|---|---|
| BeatPlayer | com.crrl.beatplayers |
| Cake VPN | com.lazycoder.cakevpns |
| eVPN | com.abcd.evpnfree |
| Music Player | com.revosleap.samplemusicplayers |
| Pacific VPN | com.protectvpn.freeapp |
| QR/Barcode Scanner MAX | com.bezrukd.qrcodebarcode |
| QRecorder | com.record.callvoicerecorder |
| tooltipnatorlibrary | com.mistergrizzlys.docscanpro |
To make sure you don't have any of these apps installed, scroll through your apps and see if anything has a name similar to one of those above.
If so, then go to Settings > Apps & notifications. You may have to tap an extra button to see all your apps at once.
Scroll down to the suspicious app and tap it. On the app's screen, tap Advanced, then tap App Details.
You should be taken straight to the app's page in the Google Play app, which is really just a specialized web browser. Tap the three stacked dots in the upper right of the Google Play app page, then tap Share.
A flyout window should appear at the bottom of the screen displaying the web address, or URL, for the app's Google Play store page.
The last part of that URL, after the equal sign, is the app's application ID.
For example, when you look up the Facebook Android app in Google Play, the URL is "https://play.google.com/store/apps/details?id=com.facebook.katana." The application ID for the Facebook app is "com.facebook.katana".
If one of your apps has an application ID that matches one of the application IDs the chart above, then you'll have to remove it.
Tap the back button to get out of the flyout window on the app's Google Play page. Then tap Uninstall to get rid of the app.
