How Hackers Tricked 300,000 Android Users into Downloading Password-Stealing Malware

Multiple types of malware were used by the hackers.

The report only mentions a few of the malicious apps, but they include fitness trackers, PDF scanning, and cryptanalysis apps. Many of the apps in this malicious software worked as they were supposed to. The apps were stealing user data.

The researchers broke the apps into four different families based on the specific software used.

The largest of the four families used a banking trojan called Anatsa. The trojan uses accessibility features to steal login information.
Alien was installed on over 97,000 devices. Alien intercepts 2FA codes, which can be used to log into a user's bank account.
The Brunhilda cybercriminal outfit group has two families that used the Ermac and Hydra software. The group stole banking information and remotely accessed a user's device. According to ThreatFabric, apps using Ermac and Hyrda racked up over 15,000 downloads.

These families skirt security measures.

The apps have been removed from the Play Store and are no longer installed on any devices. The real issue is how hackers were able to get into the apps.

The Play Store will usually catch and remove apps with questionable code. In these cases, the software was added in an update in order to keep the apps running. Developers can submit their apps using this method. Users will not notice anything amiss since the apps work as intended. There were a few telltale signs that the updates were problematic, as they may have asked for accessibility services privileges or forced users to sideload additional software.

How to keep your device safe.

There are a few things you can do to keep your devices and data safe. Whenever you run or update an app, always pay attention to the permissions it asks for, and not just the first time it is installed. If the app seems suspicious, report it. There is no reason for a QR code scanner to have access to your accessibility services.

Only install updates from the Play Store. If an app says it requires a sudden update but you don't see one listed in the Play Store app, it may not be a legit patch. The only time it is safe to sideload additional apps is when you download the APK file yourself from trusted, verified sources. Even if the app is on the Play store, you need to thoroughly vet it before you download it as hackers can fake an app's legitimacy with misleading reviews.

If you combine these strategies with other cybersecurity practices like using 2FA logins, using a password manager, and using an anti-malware app, you will be much better protected from bad actors and bad apps.

ZDNet