The BankBot trojan, used to access banking and financial information, has been discovered to target hundreds of apps in the Google Play store.

Security researcher Niels Croese, when studying the code for the BankBot malware, uncovered a list of apps targeted by hackers and found that more than 400 Google Play apps were included.

The malware was traced back to the app Funny Videos 2017, available until recently on the Google Play store. Users downloading Funny Videos would inadvertently download the BankBot malware as well; the malware would then begin a program of phishing for internet banking and credit card access credentials.

It is believed that the malware was added to the Funny Videos 2017 app with the April 8 update. The list of targeted apps was particularly difficult to uncover, as it was guarded from study with DexProtector.

In order to gain access to the list of targeted apps, Croese had to first undo the obfuscation program created with DexProtector, gaining server data, and running the program to uncover the list.

With the most recent update, it is now known that BankBot targets far more apps than previously suspected and includes new Dutch targets including ABN, ASN, Regiobank and Binck.

The banking trojan, discovered earlier this year, appeared to be on hiatus for several months prior to the latest discovery. Once installed, BankBot gains access privileges, and deletes its icon from the home screen. Running behind the scenes, it communicates with a command and control (C&C) server. BankBot starts by checking the device for banking apps and prompting the user to enter login credentials on a faked prompt screen. The malware also phishes for credit card information that, when accessed, is sent back to the C&C server.

Prior to its removal from the Google Play store, the Funny Videos app was shown to have 1-5,000 downloads.  And while Funny Videos has been removed from the Google Play store, it is unknown whether other, benign-looking apps may be infected with BankBot or similar Trojans.

Mobile users are encouraged to only download apps from trusted sources, and to run mobile threat protection scans regularly to help protect personal information and credentials.