This nasty Android malware steals your passwords — and it’s still in Google Play right now
Two more Android banking Trojans have turned up in the Google Play Store, report security researchers.
One malicious app was downloaded more than 50,000 times before being kicked out of Google Play last week, while the second app called QR Code & Barcode – Scanner was incredibly still in Google Play at the time of this writing and is targeting American users.
The first app, called Fast Cleaner, says it aims for “speeding up the device by removing unused clutter and removing battery optimization blocks,” according to a report last week from security firm ThreatFabric.
Fast Cleaner works as promised, but it also contains a dropper, which is malware designed to secretly install other programs on a device without the user’s knowledge. According to ThreatFabric’s analysis, Fast Cleaner’s chief payload was a new type of banking Trojan that ThreatFabric called “Xenomorph” after the hungry protagonist of the Alien movie series.
Xenomorph uses screen overlays to deceive the user into typing in usernames and passwords, collects information about infected devices and reads users’ text messages. With these powers, it can capture login credentials for bank and webmail accounts. It can also capture and hide the temporary PINs used in two-factor authentication, plus other notifications, texted to your phone.
ThreatFabric took apart Xenomorph’s code and found that it could generate convincing fake screens that looked like nearly 60 different apps made by banks in Belgium, Italy, Portugal and Spain. It also could fake (and steal credentials meant for) the Gmail, Google Play, Hotmail, Mail.com, Microsoft Outlook, PayPal and Yahoo Mail apps.
Unwelcome return
The other Android banking Trojan, TeaBot, is better known and made a return to Google Play last month after previously having been kicked out, reports Italian security firm Cleafy.
TeaBot can capture not only the login credentials for bank accounts, webmail and social media, but also snag two-factor-authentication codes meant to block bad guys from logging in with stolen passwords.
Despite Cleafy’s report, the malware is still in Google Play in the form of an app called “QR Code & Barcode – Scanner”, although there are many apps with similar…
