According to ThreatFabirc researchers, over 300,000 Android users have downloaded multiple banking Trojans.

These banking Trojans, fitness monitors and cryptocurrency apps disguised as QR code readers steal users “passwords. These Trojans include Anatsa, which was installed by over 200,000 Android users, Alien, which was installed by 95,000 Android users, Hydra and Ermac, which together had more than 15,000 downloads. It is important to note that these malware families are hidden and only take effect once an app is installed, which allows them to bypass Play Store detection.

In the study of the four malware families, Anatsa is considered the most productive and described as an “advanced” banking trojan.

Anatsa is able to steal usernames and passwords, use access logs to capture everything that appears on a user’s screen, and record all the information that is entered on the phone. Applications that embed the malware include QR code scanners, PDF scanners, and cryptocurrency apps.

Alien malware, another banking trojan, can steal two-factor authentication. Apps that embed this malware include a gym app. Hydra and Ermac have both been linked to Brunhilda, a cybercriminal group that specializes in infecting Android devices with banking malware.