These dangerous Android apps can hijack your phone — what to do now

Green skull on smartphone screen.
(Image credit: Shutterstock)

Google has booted eight malicious Android apps from the Play Store that were designed to steal money from online financial accounts and take over smartphones, according to a new report from Israeli security firm Check Point.

The apps, listed below, snuck into Google Play through the front door. They didn't seem malicious when Google's malicious-app screening process evaluated them, Check Point said, because the apps' creators made sure the apps communicated only with Google's own Firebase cloud back-end servers, which are often used by smartphone apps.


Reader Offer: Save 68% on Aura identity theft protection

Reader Offer: Save 68% on Aura identity theft protection
Aura provides everything you need to protect your identity, data and devices online with malware protection, a password manager and a VPN all included. Tom's Guide readers can save up to 68% when they sign up.

Preferred partner (What does this mean?)

But once the apps were installed by users, Check Point said, they switched to communicating with GitHub, a code-sharing platform owned by Microsoft upon which anyone can post software and other items. 

Each app contained a hidden "dropper" designed to install more software, and those droppers downloaded the AlienBot banking Trojan from individual GitHub pages dedicated to each app. (Independent researchers at MalwareHunterTeam also posted about this on Twitter in late January.)

Check Point described AlienBot as "second-stage malware that targets financial applications by bypassing two-factor authentication codes for financial services." 

In other words, AlienBot — once installed — steals your online banking password and gets around the two-factor authentication (2FA) methods meant to protect against the use of stolen passwords. 

Even worse, said Check Point, AlienBot often installs the Android version of TeamViewer, a legitimate app that enables remote control of a smartphone (or a computer) from afar.

With TeamViewer installed, the bogus apps' creator(s) could have logged into victims' bank accounts at any time. 

"The hacker was able to leverage readily available resources to bypass Google Play Store's protections," said Check Point researcher Aviran Hazum. "The victims thought they were downloading an innocuous utility app from the official Android market, but what they were really getting was a dangerous Trojan coming straight for their financial accounts."

Check Point said it notified Google about these malicious apps on Jan. 28, and Google confirmed on Feb. 9 that all had been removed from Google Play.

How to remove malicious apps from your phone

Many people may still have these apps installed on their devices. Here's a chart showing the name of each app along with their unique Android application IDs, which are important because Android apps often share identical or very similar names.

Swipe to scroll horizontally
App nameApplication ID
BeatPlayercom.crrl.beatplayers
Cake VPNcom.lazycoder.cakevpns
eVPNcom.abcd.evpnfree
Music Playercom.revosleap.samplemusicplayers
Pacific VPNcom.protectvpn.freeapp
QR/Barcode Scanner MAXcom.bezrukd.qrcodebarcode
QRecordercom.record.callvoicerecorder
tooltipnatorlibrarycom.mistergrizzlys.docscanpro

To make sure you don't have any of these apps installed, scroll through your apps and see if anything has a name similar to one of those above. 

If so, then go to Settings > Apps & notifications. You may have to tap an extra button to see all your apps at once.

Scroll down to the suspicious app and tap it. On the app's screen, tap Advanced, then tap App Details.

You should be taken straight to the app's page in the Google Play app, which is really just a specialized web browser. Tap the three stacked dots in the upper right of the Google Play app page, then tap Share. 

A flyout window should appear at the bottom of the screen displaying the web address, or URL, for the app's Google Play store page. 

The last part of that URL, after the equal sign, is the app's application ID.

For example, when you look up the Facebook Android app in Google Play, the URL is "https://play.google.com/store/apps/details?id=com.facebook.katana." The application ID for the Facebook app is "com.facebook.katana".

If one of your apps has an application ID that matches one of the application IDs the chart above, then you'll have to remove it.

Tap the back button to get out of the flyout window on the app's Google Play page. Then tap Uninstall to get rid of the app.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.