Google Play contains over 90 malware-infected apps that have been installed over 5.5 million times

Disturbing discovery: More than 90 malicious Android apps have been identified on Google Play and have been downloaded more than 5.5 million times in total.

Among them, the Anatsa banking trojan has seen a significant increase in activity, posing a serious threat to users around the world.

Anatsa banking trojan: a growing threat

(Photo by Árpád Czapp on Unsplash)

A cybersecurity report from Zscaler has confirmed that almost 100 Android apps are infected with the Anatsa malware. Some of them have over 5.5 million installs.

Anatsa, also known as “Teabot”, is a sophisticated banking Trojan that attacks over 650 financial applications in Europe, the United States, the United Kingdom and Asia. The purpose of this malware is to steal online banking credentials to facilitate fraudulent transactions.

Recently, Zscaler observed the re-emergence of Anatsy on the official Android app store in the form of two seemingly innocuous apps: “PDF Reader and File Manager” and “QR Reader and File Manager.”

Three months ago, Threat Fabric reported a significant increase in Anatsa infections, with at least 150,000 devices hacked via Google Play via various decoy apps.

Related Article: Your Android Smartphone May Be Infected with Anatsa Banking Trojan – Uninstall These Apps NOW!

Anatsa’s deceptive distribution tactics

By the time Zscaler conducted its analysis, these two apps already had 70,000 installs. This highlights the ongoing risk of malicious apps bypassing Google’s review process.

According to Bleeping Computer, Anatsa’s avoidance strategy involves a multi-stage payload mechanism consisting of four distinct steps.

Downloading Initial Configuration: The dropper application downloads configuration data and necessary strings from its command and control (C2) server.

Malicious Code Activation: The DEX file containing the dropper code is downloaded and activated on the infected device.

Payload Configuration Download: A configuration file with the Anatsa payload URL is downloaded.

Malware installation: The DEX file downloads and installs the malware payload (APK), ending the infection.

The DEX file also performs anti-parsing checks to avoid detection in sandbox or emulation environments.

Once activated, Anatsa uploads the bot configuration and application scan results, and then downloads specific injections tailored to the victim’s location and profile.

Anatsa is not the only threat in Google Play apps

In addition to Anatsy, Zscaler has discovered over 90 other malicious apps on Google Play over the past few months. These apps, masquerading as tools, personalization apps, photography tools, productivity software, and health and fitness apps, have racked up millions of downloads.

The five dominant malware families identified are Joker, Facestealer, Anatsa, Coper and various adware. Although Anatsa and Coper make up only 3% of all malicious downloads, they are particularly dangerous because they can perform device fraud and steal sensitive information.

How to stay safe from Anatsa-infected apps

To protect against these threats, users should be careful when installing new apps from Google Play. It is very important to check the permissions required by the app and disallow those related to high-risk activities such as Accessibility Service, SMS and contact list access.

While Zscaler did not reveal the names of all 90+ malicious apps, identified Anatsa dropper apps have already been removed from Google Play.

Read also: Alleged Ticketmaster data breach: selling data of 560 million users on hacker forum