Nasty Android apps that steal credit cards and passwords downloaded 60 million times

Your Android device may be among the millions potentially compromised by a widespread malware campaign that has already infiltrated over 331 applications available on the Google Play Store, according to security experts. These malicious applications pose a significant threat, capable of stealing sensitive information such as passwords and credit card details. Alarmingly, cybercriminals have developed techniques to conceal app icons on devices, a feat that should be impossible on Android 13 or newer versions.


Understanding the Threat Landscape

Researchers from Bitdefender and IAS Threat Lab, who uncovered this extensive operation, have provided insights into how users can protect their personal data and eliminate these harmful applications. The Google Play Store, which serves as the primary platform for downloading Android apps and games, conducts daily scans of over 125 billion applications to identify and remove harmful software. Despite these efforts, experts indicate that the malware campaign remains active, with many of the identified malicious apps boasting millions of downloads globally.

In total, these malware-infested applications have accumulated over 60 million downloads worldwide. They often masquerade as benign utility applications, including QR code scanners, expense trackers, health and fitness tools, wallpaper utilities, PDF readers, horoscopes, and even flashlight apps. These deceptive applications generate revenue for cybercriminals by displaying full-screen advertisements, even when not actively in use, and without the necessary permissions typically required.

The sophistication of these malicious apps extends to their ability to bypass Android security measures. They employ various tactics to remain undetected, including hiding their icons from the device’s launcher and initiating without any user interaction—an action that should be impossible on Android 13 or later. Experts at Bitdefender suggest that this campaign may be orchestrated by a single individual or a group of criminals utilizing the same packaging tools available on black markets.

How these malicious apps disguise themselves as legitimate applications

Detailing the timeline of their investigation in a recent blog post, Bitdefender researchers noted that most of the compromised applications first appeared on Google Play in the third quarter of 2024. Initially, these applications were benign, lacking any malware components. However, malicious behavior was introduced in subsequent updates, with the latest malware emerging in the first week of March 2025. Even after the investigation concluded, 15 applications remained available for download on the Play Store.

If you’ve recently downloaded utility apps with straightforward functionalities, your device may be at risk. Here are some recommended actions to take if you suspect that you have installed one of these harmful applications:

  • Review your recently installed utility apps and delete any that you do not actively use.
  • Look for signs of infection, such as unexpected advertisements, device lag, overheating, or unusual data usage while idle.
  • Ensure that Google Play Protect is enabled and refrain from disabling it to install any applications.
  • Update your device to the latest version of Android, as older versions are more susceptible to attacks.
  • Avoid downloading free, trivial apps that could serve as bait for attackers.

In addition to generating ad revenue for cybercriminals, some of these applications are designed to steal user credentials through phishing attacks. They achieve this by displaying counterfeit login pages for popular services like Facebook and YouTube, tricking users into entering their information, which is then sent directly to hackers. Other apps in this campaign attempt to instill fear in users, convincing them that their devices are infected and pressuring them to install additional harmful applications.

The campaign appears to have originated in April 2024, with a significant expansion occurring at the end of last year. Over 140 fraudulent applications were added to the Google Play Store during October and November alone. The deceptive nature of these apps lies in their initial submission to the Play Store without any malicious code, allowing them to pass Google’s stringent security checks effortlessly. Once established, they were later updated with harmful components.

These apps utilize advanced methods to remain concealed on devices, including disabling the Launcher Activity by default and employing native code to temporarily activate it. After setup, the app deactivates its launchers, rendering the icon invisible from the phone’s launcher. Some applications even leverage the Android Leanback Launcher, typically reserved for Android TV, to further evade detection.

Currently, the majority of victims are located in Brazil, followed by the United States, Mexico, Turkey, and South Korea. While Google has successfully removed many of the identified apps from the Play Store, security researchers caution that some remain active and accessible for download. For those who have already installed these dangerous applications, Google’s removal efforts will not provide protection; proactive measures must be taken by the users themselves.

Silviu Stahie, a Security Analyst at Bitdefender, remarked, “The campaign has been active for months, and it’s evident that the concealment methods are evolving in real-time. The attackers have grown sufficiently confident to push updates for these apps and will likely attempt to modify the malware further in their efforts to escape detection.”

In the latest developments, Bitdefender has informed Google of their findings, and the company is currently investigating the reported issues. Although researchers have identified 331 malicious apps in total, a comprehensive list of all application names involved in the campaign has not yet been released. Notably, two applications specifically mentioned from the most recent batch uploaded to the store on March 4 are “Dropo” and “Handset Locator.” While Google has removed the majority of the identified apps, users who have already installed them continue to face risks, as these apps communicate through encrypted channels and employ anti-analysis mechanisms to evade detection.

AppWizard
Nasty Android apps that steal credit cards and passwords downloaded 60 million times