These apps with over 1 billion downloads on Google Play Store are prime targets for cybercriminals

Some seemingly harmless productivity and gaming apps available on the Google Play Store were created solely to steal your banking credentials, according to a new report from BeepComputer which is based on the findings of a Zimperium study.

Hidden within these apps are mobile banking trojans that kick in when you launch a legitimate banking or financial app. They trick users into showing fake login page on genuine pages to access account credentials. The malware also keeps track of notifications to get the OTP and is also capable of abusing accessibility services to do financial fraud on the device.

The ten most malicious Trojans target up to 639 financial apps that have been downloaded over a billion times. Users in the United States are most at risk, not only because three out of four banking customers in the country use an app to carry out their daily transactions, but also because 121 of the apps are aimed at American users. Next comes the United Kingdom with 55 applications, followed by Italy which has 43, then comes Turkey with 34, Australia with 33 and France with 31.
The most downloaded targeted app is PhonePe, a hugely popular payment app in India. It has been downloaded 100 million times on Google Play. Binance cryptocurrency exchange app, which has been downloaded 50 million times, and US and UK-based mobile payment service Cash App, which has also been installed 50 million times , are also targeted by many banking Trojans.

The most targeted application is the global online banking platform BBVA, which has tens of millions of downloads. Seven of the ten most prolific banking malware are known to target this application.

Most of these apps are targeted by a trojan called Teabot, which covers 410 of the 639 apps tracked, and Exbot comes in second, affecting 324 apps.

Other Trojans that have been quite active in the first quarter of 2021 include:

  • BianLian which targets Binance, BBVA and many Turkish apps.
  • Cabassous who is after clients of Barclays, CommBank, Halifax, Lloyds and Santander.
  • Coper can take over BBVA, Caixa Bank, CommBank and Santander accounts.
  • EventBot targeting Barclays, Intensa, BancoPosta and a host of Italian apps. It disguises itself as Microsoft Word or Adobe Flash.
  • The aforementioned exobot which can affect PayPal, Binance, Cash App, Barclays, BBVA and CaixaBank,
  • FluBot which impacted BBVA, Caixa, Santander and various Spanish apps.
  • Medusa which targeted BBVA, CaixaBank, Ziraat and Turkish banking apps.
  • Sharkbot which affected Binance, BBVA and Coinbase.
  • Teabot targets PhonePe, Binance, Barclays,, Postepay, Bank of America, Capital One, Citi Mobile and Coinbase.
  • Xenomorph targets BBVA and many EU-specific banking apps.
The strategy that these Trojans have employed is that each of them maintains a narrow target range and they have different types of functionality for different purposes.
Since these Trojans are hidden in apps available on the official Android app store, you should be on your guard and avoid apps from untrusted sources. To go further, you can consider a service like ExpressVPN.

Comments are closed.