close
close

More than 90 malicious Android apps were found on Google Play with 5.5 million installs

Posted on by darion

More than 90 malicious Android apps have been detected and installed more than 5.5 million times on Google Play to deliver malware and adware, with activity from the Anatsa banking Trojan increasing recently.

Anatsa (also known as “Teabot”) is a banking Trojan that attacks over 650 applications of financial institutions in Europe, the US, the UK and Asia. It tries to steal online banking users’ credentials to conduct fraudulent transactions.


In February 2024, Threat Fabric reported that since late last year, Anatsa had committed at least 150,000 infections via Google Play using various decoy apps in the productivity software category.

Today, Zscaler reports that Anatsa has returned to the official Android app store and is now distributed via two decoy apps: “PDF Reader and File Manager” and “QR Reader and File Manager.”

Anatsa dropper applications
source: Zscaler

At the time of Zscaler’s analysis, both apps had already accumulated 70,000 installs, indicating a high risk of malicious apps slipping through the gaps in Google’s verification process.

One thing that helps Anatsa dropper apps avoid detection is the multi-step payload loading mechanism, which includes four different steps:

  • The Dropper application downloads the configuration and necessary strings from the C2 server
  • A DEX file containing malicious dropper code is downloaded and activated on the device
  • A configuration file with the Anatsa payload URL is downloaded
  • The DEX file downloads and installs the malware payload (APK), ending the infection
Steps to load malware
source: Zscaler

The DEX file also performs anti-analysis checks to ensure that malware is not executed in sandboxes or emulation environments.

Once Anatsa launches on a newly infected device, it uploads the bot configuration and application scan results, and then downloads injections that match the victim’s location and profile.

Data exchange between malware and the C2 module
source: Zscaler

Other Google Play threats

Zscaler says it has also discovered over 90 malicious apps on Google Play over the past few months, which have been installed a total of 5.5 million times.

Most malicious apps impersonate utilities, personalization apps, photography tools, productivity apps, and health and fitness apps.

The five malware families dominating the scene are Joker, Facestealer, Anatsa, Coper, and various adware.

Google Play malware (left) and dropper app types (right)
source: Zscaler

Although Anatsa and Coper only account for 3% of all malicious downloads from Google Play, they are much more dangerous than others because they can commit fraud on your device and steal sensitive information.

When installing new apps on Google Play, review required permissions and disable those associated with high-risk activities such as Accessibility Service, SMS, and contact list.

Researchers did not reveal the names of the more than 90 apps or whether they had been reported to Google for removal.

However, as of this writing, the two Anatsa dropper apps detected by Zscaler have been removed from Google Play.