RESEARCHERS SAID THEY’VE discovered a batch of apps that were downloaded from Google Play more than 300,000 times before the apps were revealed to be banking trojans that surreptitiously siphoned user passwords and two-factor-authentication codes, logged keystrokes, and took screenshots.
The apps—posing as QR scanners, PDF scanners, and cryptocurrency wallets—belonged to four separate Android malware families that were distributed over four months. They used several tricks to sidestep restrictions Google has devised in an attempt to rein in the unending distribution of fraudulent apps in its official marketplace. Those limitations include restricting the use of accessibility services for sight-impaired users to prevent the automatic installation of apps without user consent.