More than 300,000 Android users have installed a rogue app from the Google Play Store. Through a series of incremental updates, these apps eventually develop into banking Trojans that steal money.

However, not everyone who installs these apps becomes infected, ThreatFabric researchers explained in a report posted yesterday (November 29). Instead, the criminals who control these apps are often selective in their targeting, limiting malware installation to users who live in certain countries or who are running the desired banking app. [ThreatFabric explains, "Threat actors are concentrating on loaders with low malicious footprints in Google Play, which considerably increases the difficulty of detection through automation and machine learning techniques."

All of these malicious apps have been eradicated from the Google Play Store, but at least some will still be available in the "offload" app store. If you have any of these apps installed, be sure to remove them.

Most of these apps are QR code or PDF scanners and work as promised. Malware is not added until the app has been running on the device for some time, so Google Play has cleared these apps as safe.

The malware attempts to steal login credentials for banking, cryptocurrency, and payment apps, as well as some email and generic apps. Targeted countries include Australia, the United Kingdom, and the United States, as well as many countries in Europe and Southeast Asia.

Targeted financial apps include Bank of America, Barclays, Binance, Capital One, Cash Apps, Chase, Citibank, Citizens Bank, Coinbase, Credit Suisse, HSBC, Lloyds, NatWest, PNC Bank, Royal Bank of Scotland, TD Bank, Wells Fargo, Zelle, and numerous other apps. Other targeted apps include Gmail, Google Play, Microsoft Outlook, Netflix, and Yahoo Mail.

A full list of these malicious apps can be found here, with the screen name followed by the Android package name:

If an app with one of these names is installed, use the Android package name and desktop web browser to see if the app is still available in Google Play. (Many apps share a name, but Android package names are unique.)

To do this, first copy the web address of the generic Google Play app page into your browser's address field, "https://play.google.com/store/apps/details?id=",を入力します。

then copy one of the Android package names above, e.g. "com.qr.barqr.scangen", paste it after the last equal sign of the above web address Press Enter or Return.

If you see a page that says "https://play.google.com/store/apps/details?id=com.ready.qrscanner.mix",のように "We're sorry, the requested URL was not found on this server," the app has been removed from Google Play.

If you find that these particular apps are installed on your phone, check your bank balance and change your account passwords for installed banking apps, Gmail, Yahoo Mail, Microsoft Outlook, Netflix We recommend that you change your account passwords for your installed banking apps, Gmail, Yahoo!

You should also install and run one of the best Android antivirus apps, but to be fair, these rogue apps do a pretty good job of evading antivirus programs because they seem completely benign at first.