Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Android Banking Malware Infects 300,000 Google Play Users

Android Banking Malware Infects 300,000 Google Play Users

Malware campaigns distributing Android trojans that steals online bank credentials have infected almost 300,000 devices through malicious apps pushed via Google’s Play Store.

The Android banking trojans delivered onto compromised devices attempt to steal users’ credentials when they log in to an online banking or cryptocurrency apps. Credential theft is commonly done using fake bank login form overlays displayed on top of the legitimate apps’ login screens.

The stolen credentials are then sent back to the attacker’s servers, where they are collected to be sold to other threat actors or used to steal cryptocurrency and money from victims’ accounts.

Also Read: 6 Simple Guides On PDPA Clause For Agreements Of Personal Data

Evolving tactics to evade detection

In a new report by ThreatFabric, researchers explain how they discovered four different malware dropper campaigns distributing banking trojans on the Google Play Store.

While threat actors infiltrating the Google Play Store with Android banking trojans are nothing new, recent changes to Google’s policies and increased policing have forced threat actors to evolve their tactics to evade detection.

This evolution includes creating small realistic-looking apps that focus on common themes such as fitness, cryptocurrency, QR codes, and PDF scanning to trick users into installing the app. Then, to add further legitimacy to the apps, the threat actors create websites that fit the theme of the app to help pass reviews by Google.

Furthermore, ThreatFabric has seen these apps only being distributed to specific regions or at later dates to further evade detection by Google and antivirus vendors.

“This policing by Google has forced actors to find ways to significantly reduce the footprint of dropper apps. Besides improved malware code efforts, Google Play distribution campaigns are also more refined than previous campaigns,” ThreatFabric researchers explain in their new report.

Also Read: The Top 10 Primary GDPR Requirements PDF To Secure Business

“For example, by introducing carefully planned small malicious code updates over a longer period in Google Play, as well as sporting a dropper C2 backend to fully match the theme of the dropper app (for example a working Fitness website for a workout focused app).”

However, once these “dropper” apps are installed, they will silently communicate with the threat actor’s server to receive commands. When ready to distribute the banking trojan, the threat actor’s server will tell the installed app to perform a fake “update” that “drops” and launches the malware on the Android device.

Fake update installing an Android banking trojan
Fake update installing an Android banking trojan
Source: ThreatFabric

16 apps infect 300,000 devices

Since July 2021, ThreatFabric has these fake apps dropping four different banking trojans named ‘Alien’, ‘Hydra’, ‘Ermac’, and and ‘Anatsa’ through sixteen different apps.

Timeline of malware campaigns on Google Play
Timeline of malware campaigns on Google Play
Source: ThreatFabric

The “dropper” apps known to be used during these malware distribution campaigns are:

  • Two Factor Authenticator
  • Protection Guard
  • QR CreatorScanner
  • Master Scanner
  • QR Scanner 2021
  • QR Scanner
  • PDF Document Scanner – Scan to PDF
  • PDF Document Scanner
  • PDF Document Scanner Free
  • CryptoTracker
  • Gym and Fitness Trainer

Other malicious apps seen installed by the above droppers and their associated banking trojans are:

  • Master Scanner Live (Alien trojan)
  • Gym and Fitness Trainer (Alien trojan)
  • PDF AI : TEXT RECOGNIZER (Anatsa trojan)
  • QR CreatorScanner (Hydra trojan)
  • QR CreatorScanner (Ermac trojan)

During these four months of malicious activity, ThreatFrabric found that the droppers were installed 300,000 times, with some individual droppers installed over 50,000 times.

The number of banks, money transfer apps, cryptocurrency exchanges, cryptocurrency wallets, and mail services is impressive, with approximately 537 online sites and mobile apps targeted for credential theft.

The targeted organizations include Gmail, Chase, Citibank, HSBC, Coinbase, Kraken, Binance, KuCoin, CashApp, Zelle, TrustWallet, MetaMask, and more.

Google has since removed all of these malicious apps from the Play Store and you should also immediately remove them from your Android device if you have any of them installed.

If you have installed any of the above apps, you should immediately remove them from your Android device.

Furthermore, due to the evolving techniques used by Android malware developers, users must pay more attention to the permissions requested by apps and block the install if they seem overly broad.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us