Vapor: The banking credential-stealing malware on Android and how to protect yourself

  • Vapor is a sophisticated malware distributed through more than 330 legitimate-looking apps on Google Play.
  • Double threat: bombards you with fraudulent ads and steals banking credentials using advanced phishing techniques.
  • Advanced hiding methods: Invisible icons, fake app names, and blocking overlays make them difficult to detect and remove.
Joaquin Romero

5 minutes

Vapor malware affecting Android

Android is the most widely used operating system globally and, as such, is becoming a key target for increasingly sophisticated malware campaigns.One of the most recent and massive attacks has been carried out by Steam, a malware family that has already infected more than 60 million Android devices, using hundreds of applications that were distributed even through the official Google Play store.

This threat stands out for its ability to infiltrate seemingly harmless applications, and then bombard the user with fraudulent ads, steal access credentials and, most worryingly, Bank data and credit cards. Throughout this article, we carry out an exhaustive analysis of how these cards work. Steam, its evasion methods, the risks it poses to users' financial security, and best practices for protection in today's mobile threat landscape.

Vapor malware steals banking credentials on Android

What is Vapor malware and how does it infect Android?

Vapor is a highly organized and sophisticated malware campaign which has been identified in more than 330 malicious apps uploaded to the Google Play Store. Initially, these apps appeared to be legitimate, acting as useful tools in categories such as health and fitness, QR code readers, battery optimizers o note managers. Thanks to that appearance, They managed to pass Google Play's security controls, since at the time of analysis they did not contain any type of malicious code.

The real threat was activated later: once the application was installed and received updates from remote servers, downloaded and executed the malicious code necessary to deploy its hidden functionalities. This way, Vapor has managed to efficiently bypass the review and protection systems from the official store, generating a huge attack surface in a short time.

Some Most popular apps that spread Vapor include:

  • AquaTracker – 1 million downloads
  • ClickSave Downloader – 1 million downloads
  • Scan Hawk – 1 million downloads
  • Water Time Tracker – 1 million downloads
  • Be More – 1 million downloads
  • BeatWatch – 500,000 downloads
  • TranslateScan – 100,000 downloads
  • Handset Locator – 50,000 downloads

To increase their persistence and make tracking more difficult, attackers They used multiple developer accounts and different ad SDKs in each app. This tactic allowed them to avoid having a single account deleted from invalidating all their creations and made mass detection by Google more difficult.

Steam Android bank theft malware

Advanced Concealment and Attack Methods: How Vapor Defeats Defenses

One of Vapor's greatest threats lies in its extraordinary ability to hide in plain sight. and operate unsuspectingly on infected devices. Among the most notable techniques employed by this malware are:

  • Disabling the icon on the home screen: By modifying the AndroidManifest.xml file, the app removes its icon after installation, making it invisible to the user in the app drawer.
  • Name change: In some cases, malicious apps They were renamed as well-known applications such as “Google Voice” or similar, increasing the difficulty in identifying them.
  • Full Screen Ad Overlay: The malware leverages permissions like SYSTEM_ALERT_WINDOW to display intrusive ads on top of any other app, even blocking the back button and preventing the user from closing or going back to the app.
  • Deleting recent app history: The malware disappears from view in the list of recently opened applications, making it difficult for the user to identify it or force-close it manually.

These techniques, together with the use of hidden components and native code, they make Vapor work as a real “adware” and, in its most dangerous versions, as a tool for Phishing highly effective. In addition, Not all malicious payloads are activated at the same time: Attackers can remotely update the malware's behavior to adapt to new vulnerabilities or to incorporate new evasion techniques.

Ad fraud and credential theft: Vapor's double-edged sword

The initial objective of many Vapor variants is the monetization through unauthorized and invasive ads. According to Bitdefender and IAS analysis, this malware has been able to generate more than 200 million fraudulent advertising requests daily, becoming a parallel source of income for cybercriminals through adware.

However, the impact of Vapor-affected apps goes far beyond advertising. Several samples have been specifically designed to steal login credentials and banking data.. For a deeper dive into how these attacks can be detected and prevented, see How to easily detect malware on your Android.

  • Fake login screens: Some apps display interfaces identical to services like Facebook or YouTube, tricking users into entering their real data, which is then sent to attackers.
  • Requests for bank details: Using pretexts such as "security verification," some variants persuade users to reveal information such as their PIN, card number, CVV, or online banking passwords.
  • Theft of additional financial information: Attackers can ask users to enter codes received via SMS or additional details to bypass two-factor authentication and even drain bank accounts.

Once stolen, The data can be used for financial fraud, phishing schemes, or sold on the dark web.All of this happens without the user suspecting anything, as the application continues to function apparently normally.

Vapor in the context of current threats: banking Trojans and new variants

Although Vapor has been one of the most significant malware campaigns on Android in recent times., is not an isolated threat. The exponential growth of attacks aimed at stealing banking credentials and personal data is a clear trend worldwide, with successive campaigns combining social engineering, phishing, and advanced permission exploitation. Learn more about the XHelper threat and how it affects Android devices..

Statistics from cybersecurity firms such as Kaspersky and ESET reflect a dramatic increase in Mobile banking and adware TrojansMore than 33 million smartphone attacks have been reported in the last year, with banking Trojans responsible for an increase of over 190%. Furthermore, new malwares such as BankBot, Crocodilus, NGate and SuperCard They exhibit similar techniques to Vapor, hiding behind legitimate apps, using screen overlays to steal data, and in some cases even relaying NFC data to empty ATMs or make fraudulent contactless payments.

The common denominator of all these campaigns is the sophistication of the techniques used and the ease with which they are disseminated through official channels and messaging., which requires a much higher level of caution and cybersecurity education on the part of users.

Illustration of a mobile phone with a warning icon
Related article:
Ultimate Guide to Detecting, Preventing, and Removing Malware on Android: Protect Your Phone and Personal Data

How to know if you are infected and steps to remove Vapor malware

Detecting the presence of Vapor may not be easy, since Many of its applications eliminate any visible trace in the interface of the system. However, there are warning signs that should put us on guard:

  • Unexpected full-screen advertising, even when you don't have any apps open.
  • Disappearing app icons newly installed ones that do not appear in the main menu.
  • Device slowdown, overheating, or high battery consumption.
  • Unusual requests for sensitive permissions by apps that shouldn't need them.
  • Redirects to fake login pages or requests for banking data outside of official channels.

If you detect any of these behaviors, it is essential to:

  1. Review all installed applications From Settings → Apps → See all apps. Remove any suspicious apps, apps with strange names, or apps without a visible icon on the home screen.
  2. Perform a full scan with Google Play Protect or with a trusted antivirus solution, such as Kaspersky, Bitdefender, or ESET.
  3. Update the operating system and official apps to correct possible vulnerabilities.
  4. Change all passwords relevant and, if you have entered bank details, contact your bank to alert them about the possible compromise.

How to protect your Android from malware like Vapor and other banking Trojans

Avoiding Steam infections, banking Trojans, and other similar variants requires a proactive security strategy. Experts recommend:

  1. Download apps only from trusted sources: While Google Play isn't foolproof, it's still safer than third-party stores. Pay close attention to ratings, download counts, and reviews before installing any app.
  2. Check all requested permissions: If an app requests more permissions than necessary—especially access to SMS, contacts, accessibility services, or SYSTEM_ALERT_WINDOW—be suspicious and investigate before accepting.
  3. Uninstall unnecessary apps or apps from little-known developers and keep only those you really need.
  4. Always apply security updates available for the operating system and critical applications. Many vulnerabilities are addressed with these patches.
  5. Use anti-malware security solutions and keep them updated; both Google Play Protect and third-party antivirus add extra layers of protection.
  6. Compare installed apps with visible ones in the device's main menu, as some Vapor variants remove their visual presence to go unnoticed.
  7. Never provide bank details or credentials outside of your bank's official channels or legitimate services.
  8. Disable advanced features like NFC when not in use and avoid providing unnecessary accessibility permissions.
  9. Train and inform about risks To family and people around you: cybersecurity education remains the best defense against current threats.