Vapor: Android malware that steals banking data and how to avoid it

  • Vapor has infected more than 60 million Android devices through malicious apps.
  • This malware displays intrusive ads and steals banking credentials through phishing.
  • It hides in the system by removing its icon and disguising itself as legitimate apps.
  • Staying safe involves checking permissions, using security tools, and updating your system.
Joaquin Romero

5 minutes

Vapor is the new malware that steals banking data on Android.

In recent months, a new malware has compromised the security of millions of Android devices. It is 'Steam', a massive malware campaign that has managed to infiltrate through seemingly harmless applications. This malware not only displays invasive advertising, but is also designed to theft of bank credentials and personal data, making it a serious threat to Android mobile users.

Although Google has taken steps to remove the affected apps from the Play Store, the cybercriminals behind this malware have demonstrated the ability to evade security systems and continue distributing new variants. In this article, we'll take an in-depth look at what 'Vapor' is, how it spreads, what damage it can cause, and, most importantly, how you can protect yourself from this growing threat.

What is Vapor and how does it affect Android devices?

'Vapor' is a malware campaign that has managed to infiltrate More than 60 million Android devices Through apps distributed on the official Google Play store. This type of malware has two main objectives:

Protect your Fire TV and Google TV from malware: key tips
Related article:
A Comprehensive Guide to Protecting Fire TV and Google TV from Malware and Online Threats
  • Generating fraudulent income through forced viewing of ads.
  • Stealing login credentials, banking details and other personal information using advanced phishing and obfuscation techniques.

Most worrying is that this malware has been sophisticatedly designed to bypass Google's security controls, allowing it to more than 300 malicious applications are downloaded by millions of users without suspecting that they are installing fraudulent software.

Vapor malware alert that steals banking data on Android

How is it distributed and how does it deceive users?

Cybercriminals have used a very effective strategy to distribute 'Vapor'. The infected apps initially contain no malicious code, allowing them to bypass Google Play's verification. However, once installed on the device, these apps download their malicious payload from an external server, triggering its fraudulent behavior.

These applications are often disguised as legitimate tools such as:

Some of the apps that have been identified as part of the 'Vapor' campaign include:

  • AquaTracker – 1 million downloads
  • ClickSave Downloader – 1 million downloads
  • Scan Hawk – 1 million downloads
  • Water Time Tracker – 1 million downloads
  • Be More – 1 million downloads
  • BeatWatch – 500.000 downloads
  • TranslateScan – 100.000 downloads
  • phone locator – 50.000 downloads
Android attacked by malware
Related article:
SpyLend: This is how the extortion malware targeting Android users works.

How 'Vapor' works on infected devices

One of the most worrying aspects of the 'Vapor' malware is its ability to hide from the userTo avoid detection and removal, the malware uses several advanced techniques:

  • Remove its icon from the home screen after settling in.
  • Renamed as legitimate applications (for example, “Google Voice”) to avoid raising suspicions.
  • Exploits vulnerabilities in Android to disable the “Back” button and prevent users from closing the application.
  • Hide your activity in the recent tasks list, making it difficult to detect.

Theft of credentials and banking data

In addition to generating fraudulent revenue through ads, 'Vapor' takes the threat a step further by displaying fake login screens from popular apps like Facebook, YouTube, and banking services. Users enter their credentials believing they're accessing their real accounts, when in fact, they're sending their information to cybercriminals.

Attempts to trick users into entering their credit card details under various pretexts, such as "security verification" or "access to premium features," have also been detected.

How to protect yourself from 'Vapor' and similar malware

Although Google has removed the malicious apps from the Play Store, the criminals behind 'Vapor' have demonstrated they can bypass detection systems and continue distributing new threats. To avoid infections, follow these recommendations:

  • Avoid installing unnecessary applications and carefully review the ratings and permissions before downloading any app.
  • Be wary of apps that request excessive permissionsIf a notes app asks for access to your text messages or contacts, that's a red flag.
  • Use security tools such as Google Play Protect or trusted antivirus to detect suspicious behavior.
  • Check which applications you have installed on the system and make sure there are no suspicious names or apps you don't remember downloading.
  • Keep the operating system and applications updated to prevent the exploitation of vulnerabilities.
Malware in Spain
Related article:
FakeUpdates malware: A real threat in Spain: spread, techniques, and how to protect yourself

'Vapor' has become one of the most advanced and widespread malware campaigns within the Android ecosystem. Its ability to infiltrate seemingly legitimate applications, evading security controls, and stealing personal data make it a significant threat to millions of users. The best defense against this type of attack is cautionAlways review applications before installing them and avoid granting unnecessary permissions. Share the information and alert more users about this malware..